Vulnerabilities > CVE-2019-16335 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
fasterxml
fedoraproject
debian
netapp
redhat
oracle
CWE-502
critical
nessus

Summary

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Vulnerable Configurations

Part Description Count
Application
Fasterxml
130
Application
Netapp
3
Application
Redhat
2
Application
Oracle
61
OS
Fedoraproject
2
OS
Debian
3
OS
Redhat
3

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0160.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
    last seen2020-06-01
    modified2020-06-02
    plugin id133157
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133157
    titleRHEL 7 : JBoss EAP (RHSA-2020:0160)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2020:0160. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133157);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/24");
    
      script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531");
      script_xref(name:"RHSA", value:"2020:0160");
    
      script_name(english:"RHEL 7 : JBoss EAP (RHSA-2020:0160)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update is now available for Red Hat JBoss Enterprise Application
    Platform 7.2 for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
    applications based on the WildFly application runtime.
    
    This release of Red Hat JBoss Enterprise Application Platform 7.2.6
    serves as a replacement for Red Hat JBoss Enterprise Application
    Platform 7.2.5, and includes bug fixes and enhancements. See the Red
    Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for
    information about the most significant bug fixes and enhancements
    included in this release.
    
    Security Fix(es) :
    
    * undertow: possible Denial Of Service (DOS) in Undertow HTTP server
    listening on HTTPS (CVE-2019-14888)
    
    * jboss-cli: JBoss EAP: Vault system property security attribute value
    is revealed on CLI 'reload' command (CVE-2019-14885)
    
    * netty: HTTP request smuggling by mishandled whitespace before the
    colon in HTTP headers (CVE-2019-16869)
    
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariConfig (CVE-2019-14540)
    
    * jackson-databind: Serialization gadgets in classes of the
    commons-dbcp package (CVE-2019-16942)
    
    * jackson-databind: Serialization gadgets in classes of the
    commons-configuration package (CVE-2019-14892)
    
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
    
    * jackson-databind: Serialization gadgets in classes of the p6spy
    package (CVE-2019-16943)
    
    * jackson-databind: polymorphic typing issue when enabling default
    typing for an externally exposed JSON endpoint and having
    apache-log4j-extra in the classpath leads to code execution
    (CVE-2019-17531)
    
    * jackson-databind: Serialization gadgets in classes of the xalan
    package (CVE-2019-14893)
    
    * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
    
    * jackson-databind: Serialization gadgets in classes of the ehcache
    package (CVE-2019-17267)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/documentation/en-us/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2020:0160"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10219"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14540"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14885"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14888"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14892"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14893"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16869"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16942"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16943"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17531"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2020:0160";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL7", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP");
    
      if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-java-jdk11-7.2.6-5.GA_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-java-jdk8-7.2.6-5.GA_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0159.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
    last seen2020-06-01
    modified2020-06-02
    plugin id133156
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133156
    titleRHEL 6 : JBoss EAP (RHSA-2020:0159)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2020:0159. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133156);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/24");
    
      script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531");
      script_xref(name:"RHSA", value:"2020:0159");
    
      script_name(english:"RHEL 6 : JBoss EAP (RHSA-2020:0159)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update is now available for Red Hat JBoss Enterprise Application
    Platform 7.2 for Red Hat Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
    applications based on the WildFly application runtime.
    
    This release of Red Hat JBoss Enterprise Application Platform 7.2.6
    serves as a replacement for Red Hat JBoss Enterprise Application
    Platform 7.2.5, and includes bug fixes and enhancements. See the Red
    Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for
    information about the most significant bug fixes and enhancements
    included in this release.
    
    Security Fix(es) :
    
    * undertow: possible Denial Of Service (DOS) in Undertow HTTP server
    listening on HTTPS (CVE-2019-14888)
    
    * jboss-cli: JBoss EAP: Vault system property security attribute value
    is revealed on CLI 'reload' command (CVE-2019-14885)
    
    * netty: HTTP request smuggling by mishandled whitespace before the
    colon in HTTP headers (CVE-2019-16869)
    
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariConfig (CVE-2019-14540)
    
    * jackson-databind: Serialization gadgets in classes of the
    commons-dbcp package (CVE-2019-16942)
    
    * jackson-databind: Serialization gadgets in classes of the
    commons-configuration package (CVE-2019-14892)
    
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
    
    * jackson-databind: Serialization gadgets in classes of the p6spy
    package (CVE-2019-16943)
    
    * jackson-databind: polymorphic typing issue when enabling default
    typing for an externally exposed JSON endpoint and having
    apache-log4j-extra in the classpath leads to code execution
    (CVE-2019-17531)
    
    * jackson-databind: Serialization gadgets in classes of the xalan
    package (CVE-2019-14893)
    
    * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
    
    * jackson-databind: Serialization gadgets in classes of the ehcache
    package (CVE-2019-17267)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/documentation/en-us/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2020:0159"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10219"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14540"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14885"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14888"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14892"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14893"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16869"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16942"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16943"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17531"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2020:0159";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL6", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP");
    
      if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0161.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
    last seen2020-06-01
    modified2020-06-02
    plugin id133158
    published2020-01-22
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133158
    titleRHEL 8 : JBoss EAP (RHSA-2020:0161)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2020:0161. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133158);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/24");
    
      script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531");
      script_xref(name:"RHSA", value:"2020:0161");
    
      script_name(english:"RHEL 8 : JBoss EAP (RHSA-2020:0161)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update is now available for Red Hat JBoss Enterprise Application
    Platform 7.2 for Red Hat Enterprise Linux 8.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
    applications based on the WildFly application runtime.
    
    This release of Red Hat JBoss Enterprise Application Platform 7.2.6
    serves as a replacement for Red Hat JBoss Enterprise Application
    Platform 7.2.5, and includes bug fixes and enhancements. See the Red
    Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for
    information about the most significant bug fixes and enhancements
    included in this release.
    
    Security Fix(es) :
    
    * undertow: possible Denial Of Service (DOS) in Undertow HTTP server
    listening on HTTPS (CVE-2019-14888)
    
    * jboss-cli: JBoss EAP: Vault system property security attribute value
    is revealed on CLI 'reload' command (CVE-2019-14885)
    
    * netty: HTTP request smuggling by mishandled whitespace before the
    colon in HTTP headers (CVE-2019-16869)
    
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariConfig (CVE-2019-14540)
    
    * jackson-databind: Serialization gadgets in classes of the
    commons-dbcp package (CVE-2019-16942)
    
    * jackson-databind: Serialization gadgets in classes of the
    commons-configuration package (CVE-2019-14892)
    
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
    
    * jackson-databind: Serialization gadgets in classes of the p6spy
    package (CVE-2019-16943)
    
    * jackson-databind: polymorphic typing issue when enabling default
    typing for an externally exposed JSON endpoint and having
    apache-log4j-extra in the classpath leads to code execution
    (CVE-2019-17531)
    
    * jackson-databind: Serialization gadgets in classes of the xalan
    package (CVE-2019-14893)
    
    * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
    
    * jackson-databind: Serialization gadgets in classes of the ehcache
    package (CVE-2019-17267)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2020:0161"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10219"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14540"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14885"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14888"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14892"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-14893"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16335"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16869"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16942"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-16943"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-17531"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 8.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2020:0161";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL8", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP");
    
      if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el8")) flag++;
      if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el8")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1943.NASL
    descriptionMore deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id129539
    published2019-10-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129539
    titleDebian DLA-1943-1 : jackson-databind security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1943-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129539);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/23");
    
      script_cve_id("CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943");
    
      script_name(english:"Debian DLA-1943-1 : jackson-databind security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "More deserialization flaws were discovered in jackson-databind
    relating to the classes in com.zaxxer.hikari.HikariConfig,
    com.zaxxer.hikari.HikariDataSource, commons-dbcp and
    com.p6spy.engine.spy.P6DataSource, which could allow an
    unauthenticated user to perform remote code execution. The issue was
    resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    2.4.2-2+deb8u9.
    
    We recommend that you upgrade your jackson-databind packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/jackson-databind"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"libjackson2-databind-java", reference:"2.4.2-2+deb8u9")) flag++;
    if (deb_check(release:"8.0", prefix:"libjackson2-databind-java-doc", reference:"2.4.2-2+deb8u9")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-1644.NASL
    descriptionThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1644 advisory. - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-05-21
    modified2020-04-28
    plugin id136041
    published2020-04-28
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136041
    titleRHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2020:1644. The text
    # itself is copyright (C) Red Hat, Inc.
    #
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136041);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/20");
    
      script_cve_id(
        "CVE-2019-14540",
        "CVE-2019-16335",
        "CVE-2019-16942",
        "CVE-2019-16943",
        "CVE-2019-17531"
      );
      script_xref(name:"RHSA", value:"2020:1644");
    
      script_name(english:"RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Red Hat host is missing one or more security updates.");
      script_set_attribute(attribute:"description", value:
    "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
    referenced in the RHSA-2020:1644 advisory.
    
      - jackson-databind: Serialization gadgets in
        com.zaxxer.hikari.HikariConfig (CVE-2019-14540)
    
      - jackson-databind: Serialization gadgets in
        com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
    
      - jackson-databind: Serialization gadgets in
        org.apache.commons.dbcp.datasources.* (CVE-2019-16942)
    
      - jackson-databind: Serialization gadgets in
        com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)
    
      - jackson-databind: Serialization gadgets in
        org.apache.log4j.receivers.db.* (CVE-2019-17531)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html");
      script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1644");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-14540");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16335");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16942");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16943");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-17531");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1755831");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1755849");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1758187");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1758191");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1775293");
      script_set_attribute(attribute:"solution", value:
    "Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17531");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_cwe_id(20, 200, 502);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-commons-collections");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-commons-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bea-stax-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-databind");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:javassist");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:javassist-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ldapjdk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ldapjdk-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base-java");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-ca");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-core-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-kra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-servlet-engine");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-symkey");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nss-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nss-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-nss");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-pki");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:relaxngDatatype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:resteasy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:slf4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:stax-ex");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcatjss");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:velocity");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xalan-j2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xerces-j2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-apis");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xsom");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Red Hat Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('rpm.inc');
    
    if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item('Host/RedHat/release');
    if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
    os_ver = os_ver[1];
    if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
    
    if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item('Host/cpu');
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
    
    appstreams = {
        'pki-deps:10.6': [
          {'reference':'apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'},
          {'reference':'jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'},
          {'reference':'jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'},
          {'reference':'jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8'},
          {'reference':'jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8'},
          {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'},
          {'reference':'javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'},
          {'reference':'pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'},
          {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'},
          {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'},
          {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'},
          {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'},
          {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'},
          {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'},
          {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'},
          {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'},
          {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'},
          {'reference':'relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'velocity-1.7-24.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c', 'release':'8'},
          {'reference':'xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c', 'release':'8'}
        ],
        'pki-core:10.6': [
          {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'},
          {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'},
          {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'},
          {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'},
          {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'},
          {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'},
          {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'},
          {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'},
          {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'},
          {'reference':'ldapjdk-4.21.0-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'},
          {'reference':'ldapjdk-javadoc-4.21.0-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'},
          {'reference':'pki-base-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'},
          {'reference':'pki-base-java-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'},
          {'reference':'pki-ca-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'},
          {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'},
          {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'},
          {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'},
          {'reference':'pki-kra-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'},
          {'reference':'pki-server-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'},
          {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'},
          {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'},
          {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'},
          {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'},
          {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'},
          {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'},
          {'reference':'python3-pki-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'},
          {'reference':'tomcatjss-7.4.1-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'}
        ],
    };
    
    flag = 0;
    appstreams_found = 0;
    foreach module (keys(appstreams)) {
      appstream = NULL;
      appstream_name = NULL;
      appstream_version = NULL;
      appstream_split = split(module, sep:':', keep:FALSE);
      if (!empty_or_null(appstream_split)) {
        appstream_name = appstream_split[0];
        appstream_version = appstream_split[1];
        appstream = get_kb_item('Host/RedHat/appstream/' + appstream_name);
      }
      if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
        appstreams_found++;
        foreach package_array ( appstreams[module] ) {
          reference = NULL;
          release = NULL;
          sp = NULL;
          cpu = NULL;
          el_string = NULL;
          rpm_spec_vers_cmp = NULL;
          epoch = NULL;
          if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
          if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];
          if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
          if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
          if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
          if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
          if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
          if (reference && release) {
            if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
          }
        }
      }
    }
    
    if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module pki-core:10.6 / pki-deps:10.6');
    
    if (flag)
    {
      security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-collections / apache-commons-lang / bea-stax-api / etc');
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-B171554877.NASL
    description - Update jackson-parent to version 2.10. - Update jackson-bom to version 2.10.0. - Update jackson-annotations to version 2.10.0. - Update jackson-core to version 2.10.0. - Update jackson-databind to version 2.10.0. Resolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129833
    published2019-10-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129833
    titleFedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-b171554877.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129833);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/19");
    
      script_cve_id("CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943");
      script_xref(name:"FEDORA", value:"2019-b171554877");
    
      script_name(english:"Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - Update jackson-parent to version 2.10.
    
      - Update jackson-bom to version 2.10.0.
    
      - Update jackson-annotations to version 2.10.0.
    
      - Update jackson-core to version 2.10.0.
    
      - Update jackson-databind to version 2.10.0.
    
    Resolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942,
    CVE-2019-16943.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-b171554877"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-annotations");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-bom");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-databind");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-parent");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC30", reference:"jackson-annotations-2.10.0-1.fc30")) flag++;
    if (rpm_check(release:"FC30", reference:"jackson-bom-2.10.0-1.fc30")) flag++;
    if (rpm_check(release:"FC30", reference:"jackson-core-2.10.0-1.fc30")) flag++;
    if (rpm_check(release:"FC30", reference:"jackson-databind-2.10.0-1.fc30")) flag++;
    if (rpm_check(release:"FC30", reference:"jackson-parent-2.10-1.fc30")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc");
    }
    
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2020.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to 17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to 19.12.0.1. It is, therefore, affected by multiple vulnerabilities: - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 used in Primavera Unifier. (CVE-2019-14540) - A memory exhaustion flaw exists in Apache Tika
    last seen2020-05-08
    modified2020-01-30
    plugin id133359
    published2020-01-30
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133359
    titleOracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133359);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06");
    
      script_cve_id(
        "CVE-2014-3596",
        "CVE-2018-8032",
        "CVE-2019-0227",
        "CVE-2019-10088",
        "CVE-2019-10093",
        "CVE-2019-10094",
        "CVE-2019-12415",
        "CVE-2019-14540",
        "CVE-2019-16335"
      );
      script_bugtraq_id(107867);
      script_xref(name:"IAVA", value:"2020-A-0140");
    
      script_name(english:"Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application running on the remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Oracle Primavera
    Unifier installation running on the remote web server is 16.1.x or
    16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to
    17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to
    19.12.0.1. It is, therefore, affected by multiple vulnerabilities:
    
      - A Polymorphic Typing issue was discovered in FasterXML
        jackson-databind before 2.9.10 used in Primavera Unifier.
        (CVE-2019-14540)
    
      - A memory exhaustion flaw exists in Apache Tika's RecursiveParserWrapper
        versions 1.7 - 1.21 used in Primavera Unifier. (CVE-2019-10088)
    
      - A Server Side Request Forgery (SSRF) vulnerability affected the
        Apache Axis 1.4 distribution that was last released in 2006. Security
        and bug commits commits continue in the projects Axis 1.x Subversion
        repository, legacy users are encouraged to build from source. The
        successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is
        not vulnerable to this issue. (CVE-2019-0227)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=325111950546185&id=2620236.1&_afrWindowMode=0&_adf.ctrl-state=nxv3x2076_4
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b244b132");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle Primavera Unifier version 16.2.16.0 / 17.12.11.2 / 18.8.15 / 19.12.0.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14540");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/30");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_unifier");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_primavera_unifier.nbin");
      script_require_keys("installed_sw/Oracle Primavera Unifier", "www/weblogic");
      script_require_ports("Services/www", 8002);
    
      exit(0);
    }
    
    include('http.inc');
    include('vcf.inc');
    
    get_install_count(app_name:'Oracle Primavera Unifier', exit_if_zero:TRUE);
    
    port = get_http_port(default:8002);
    get_kb_item_or_exit('www/weblogic/' + port + '/installed');
    
    app_info = vcf::get_app_info(app:'Oracle Primavera Unifier', port:port);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { 'min_version' : '16.1', 'fixed_version' : '16.2.16.0' },
      { 'min_version' : '17.7', 'fixed_version' : '17.12.11.2' },
      { 'min_version' : '18.8', 'fixed_version' : '18.8.15' },
      { 'min_version' : '19.12', 'fixed_version' : '19.12.0.1' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE); 
    
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2020.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is, therefore, affected by multiple vulnerabilities, including the following: - Two Polymorphic Typing issues present in FasterXML jackson-databind related to com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers. (CVE-2019-16335, CVE-2019-14540) - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that the server hostname matches a domain name in the subject
    last seen2020-05-08
    modified2020-01-15
    plugin id132936
    published2020-01-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132936
    titleOracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(132936);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06");
    
      script_cve_id(
        "CVE-2014-3596",
        "CVE-2015-9251",
        "CVE-2018-8032",
        "CVE-2019-0227",
        "CVE-2019-11358",
        "CVE-2019-12415",
        "CVE-2019-14540",
        "CVE-2019-16335"
      );
      script_bugtraq_id(
        69295,
        105658,
        107867,
        108023
      );
      script_xref(name:"IAVA", value:"2020-A-0140");
    
      script_name(english:"Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application running on the remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web
    server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is,
    therefore, affected by multiple vulnerabilities, including the following:
    
      - Two Polymorphic Typing issues present in FasterXML jackson-databind related to
        com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers.
        (CVE-2019-16335, CVE-2019-14540)
    
      - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that
        the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of
        the X.509 certificate. An unauthenticated, remote attacker can exploit this to spoof SSL servers via a
        certificate with a subject that specifies a common name in a field that is not a CN field. (CVE-2014-3596)
    
      - A Server Side Request Forgery (SSRF) vulnerability in Apache Axis that can be exploited by an
        unauthenticated, remote attacker. (CVE-2019-0227)
    
    Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2020.html#AppendixPVA");
      script_set_attribute(attribute:"see_also", value:"https://support.oracle.com/rs?type=doc&id=2620236.1");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle Primavera Gateway version 15.2.18 / 16.2.11 / 17.12.6 / 18.8.8.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16335");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/15");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_gateway");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_primavera_gateway.nbin");
      script_require_keys("installed_sw/Oracle Primavera Gateway");
      script_require_ports("Services/www", 8006);
    
      exit(0);
    }
    
    include('http.inc');
    include('vcf.inc');
    
    get_install_count(app_name:'Oracle Primavera Gateway', exit_if_zero:TRUE);
    
    port = get_http_port(default:8006);
    
    app_info = vcf::get_app_info(app:'Oracle Primavera Gateway', port:port);
    
    vcf::check_granularity(app_info:app_info, sig_segments:2);
    
    constraints = [
      { 'min_version' : '15.0.0', 'fixed_version' : '15.2.18' },
      { 'min_version' : '16.0.0', 'fixed_version' : '16.2.11' },
      { 'min_version' : '17.0.0', 'fixed_version' : '17.12.6' },
      { 'min_version' : '18.0.0', 'fixed_version' : '18.8.8.1' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE});
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4542.NASL
    descriptionIt was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.
    last seen2020-06-01
    modified2020-06-02
    plugin id129597
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129597
    titleDebian DSA-4542-1 : jackson-databind - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4542. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129597);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/23");
    
      script_cve_id("CVE-2019-12384", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943");
      script_xref(name:"DSA", value:"4542");
    
      script_name(english:"Debian DSA-4542-1 : jackson-databind - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that jackson-databind, a Java library used to parse
    JSON and other data formats, did not properly validate user input
    before attempting deserialization. This allowed an attacker providing
    maliciously crafted input to perform code execution, or read arbitrary
    files on the server."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941530"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940498"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933393"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750"
      );
      # https://security-tracker.debian.org/tracker/source-package/jackson-databind
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?61134ddf"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/jackson-databind"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/buster/jackson-databind"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4542"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the jackson-databind packages.
    
    For the oldstable distribution (stretch), these problems have been
    fixed in version 2.8.6-1+deb9u6.
    
    For the stable distribution (buster), these problems have been fixed
    in version 2.9.8-3+deb10u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:jackson-databind");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"10.0", prefix:"libjackson2-databind-java", reference:"2.9.8-3+deb10u1")) flag++;
    if (deb_check(release:"10.0", prefix:"libjackson2-databind-java-doc", reference:"2.9.8-3+deb10u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libjackson2-databind-java", reference:"2.8.6-1+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"libjackson2-databind-java-doc", reference:"2.8.6-1+deb9u6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Redhat

advisories
  • rhsa
    idRHSA-2019:3200
  • rhsa
    idRHSA-2020:0159
  • rhsa
    idRHSA-2020:0160
  • rhsa
    idRHSA-2020:0161
  • rhsa
    idRHSA-2020:0164
  • rhsa
    idRHSA-2020:0445
  • rhsa
    idRHSA-2020:0729
rpms
  • eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el6eap
  • eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el6eap
  • eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el6eap
  • eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el6eap
  • eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el6eap
  • eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el6eap
  • eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el6eap
  • eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el6eap
  • eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el6eap
  • eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el6eap
  • eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el6eap
  • eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el6eap
  • eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el6eap
  • eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el6eap
  • eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el6eap
  • eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el6eap
  • eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el6eap
  • eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el6eap
  • eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el6eap
  • eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el6eap
  • eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el6eap
  • eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
  • eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el6eap
  • eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el6eap
  • eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el6eap
  • eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el6eap
  • eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el6eap
  • eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el6eap
  • eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el6eap
  • eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el6eap
  • eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el6eap
  • eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el6eap
  • eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el6eap
  • eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el6eap
  • eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el6eap
  • eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el6eap
  • eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el6eap
  • eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el6eap
  • eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
  • eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
  • eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
  • eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el6eap
  • eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el6eap
  • eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el6eap
  • eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el7eap
  • eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el7eap
  • eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el7eap
  • eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el7eap
  • eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el7eap
  • eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el7eap
  • eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el7eap
  • eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el7eap
  • eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el7eap
  • eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el7eap
  • eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el7eap
  • eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el7eap
  • eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el7eap
  • eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el7eap
  • eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el7eap
  • eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el7eap
  • eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el7eap
  • eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el7eap
  • eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el7eap
  • eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el7eap
  • eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el7eap
  • eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
  • eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el7eap
  • eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el7eap
  • eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el7eap
  • eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el7eap
  • eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el7eap
  • eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el7eap
  • eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el7eap
  • eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el7eap
  • eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el7eap
  • eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el7eap
  • eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el7eap
  • eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el7eap
  • eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el7eap
  • eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el7eap
  • eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el7eap
  • eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el7eap
  • eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
  • eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
  • eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
  • eap7-wildfly-java-jdk11-0:7.2.6-5.GA_redhat_00001.1.el7eap
  • eap7-wildfly-java-jdk8-0:7.2.6-5.GA_redhat_00001.1.el7eap
  • eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el7eap
  • eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el7eap
  • eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap
  • eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el8eap
  • eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el8eap
  • eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el8eap
  • eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el8eap
  • eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el8eap
  • eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el8eap
  • eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el8eap
  • eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el8eap
  • eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el8eap
  • eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el8eap
  • eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el8eap
  • eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el8eap
  • eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el8eap
  • eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el8eap
  • eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el8eap
  • eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el8eap
  • eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el8eap
  • eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el8eap
  • eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el8eap
  • eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el8eap
  • eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el8eap
  • eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
  • eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el8eap
  • eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el8eap
  • eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el8eap
  • eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el8eap
  • eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el8eap
  • eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el8eap
  • eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el8eap
  • eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el8eap
  • eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el8eap
  • eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el8eap
  • eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el8eap
  • eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el8eap
  • eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el8eap
  • eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el8eap
  • eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el8eap
  • eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el8eap
  • eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
  • eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
  • eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
  • eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el8eap
  • eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el8eap
  • eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap
  • apache-commons-collections-0:3.2.2-10.module+el8.1.0+3366+6dfb954c
  • apache-commons-lang-0:2.6-21.module+el8.1.0+3366+6dfb954c
  • bea-stax-api-0:1.2.0-16.module+el8.1.0+3366+6dfb954c
  • glassfish-fastinfoset-0:1.2.13-9.module+el8.1.0+3366+6dfb954c
  • glassfish-jaxb-api-0:2.2.12-8.module+el8.1.0+3366+6dfb954c
  • glassfish-jaxb-core-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
  • glassfish-jaxb-runtime-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
  • glassfish-jaxb-txw2-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
  • jackson-annotations-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
  • jackson-core-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
  • jackson-databind-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
  • jackson-jaxrs-json-provider-0:2.9.9-1.module+el8.1.0+3832+9784644d
  • jackson-jaxrs-providers-0:2.9.9-1.module+el8.1.0+3832+9784644d
  • jackson-module-jaxb-annotations-0:2.7.6-4.module+el8.1.0+3366+6dfb954c
  • jakarta-commons-httpclient-1:3.1-28.module+el8.1.0+3366+6dfb954c
  • javassist-0:3.18.1-8.module+el8.1.0+3366+6dfb954c
  • javassist-javadoc-0:3.18.1-8.module+el8.1.0+3366+6dfb954c
  • jss-0:4.6.2-4.module+el8.2.0+6123+b4678599
  • jss-debuginfo-0:4.6.2-4.module+el8.2.0+6123+b4678599
  • jss-debugsource-0:4.6.2-4.module+el8.2.0+6123+b4678599
  • jss-javadoc-0:4.6.2-4.module+el8.2.0+6123+b4678599
  • ldapjdk-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b
  • ldapjdk-javadoc-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b
  • pki-base-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-base-java-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-ca-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-core-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-core-debugsource-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-kra-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-server-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-servlet-4.0-api-1:9.0.7-16.module+el8.1.0+3366+6dfb954c
  • pki-servlet-engine-1:9.0.7-16.module+el8.1.0+3366+6dfb954c
  • pki-symkey-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-symkey-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-tools-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • pki-tools-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • python-nss-debugsource-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
  • python-nss-doc-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
  • python3-nss-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
  • python3-nss-debuginfo-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
  • python3-pki-0:10.8.3-1.module+el8.2.0+5925+bad5981a
  • relaxngDatatype-0:2011.1-7.module+el8.1.0+3366+6dfb954c
  • resteasy-0:3.0.26-3.module+el8.1.0+3366+6dfb954c
  • slf4j-0:1.7.25-4.module+el8.1.0+3366+6dfb954c
  • slf4j-jdk14-0:1.7.25-4.module+el8.1.0+3366+6dfb954c
  • stax-ex-0:1.7.7-8.module+el8.1.0+3366+6dfb954c
  • tomcatjss-0:7.4.1-2.module+el8.2.0+4573+c3c38c7b
  • velocity-0:1.7-24.module+el8.1.0+3366+6dfb954c
  • xalan-j2-0:2.7.1-38.module+el8.1.0+3366+6dfb954c
  • xerces-j2-0:2.11.0-34.module+el8.1.0+3366+6dfb954c
  • xml-commons-apis-0:1.4.01-25.module+el8.1.0+3366+6dfb954c
  • xml-commons-resolver-0:1.2-26.module+el8.1.0+3366+6dfb954c
  • xmlstreambuffer-0:1.5.4-8.module+el8.1.0+3366+6dfb954c
  • xsom-0:0-19.20110809svn.module+el8.1.0+3366+6dfb954c

References