漏洞类别:CGI
漏洞等级: 
漏洞信息
Red Hat JBoss Enterprise Application Platform (or JBoss EAP) is a subscription-based/open-source Java EE-based application server runtime platform used for building, deploying, and hosting highly-transactional Java applications and services.
Red Hat JBoss EAP contains the following vulnerabilities:
CVE-2013-6440: It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
CVE-2013-4517: It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service (DoS).
CVE-2014-0018: In Red Hat JBoss Enterprise Application Platform, when running under a security manager, it was possible for deployed code to get access to the Modular Service Container (MSC) service registry without any permission checks. This could allow malicious deployments to modify the internal state of the server in various ways.
Affected Versions:
Red Hat Enterprise Application Platform (EAP) before 6.2.1
漏洞危害
Depending on the vulnerability being exploited, an attacker could read files accessible to the user running the application server or cause a DoS attack.
解决方案
Customers are advised to download Red Hat EAP 6.2.1 or later versions to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论