Vulnerabilities > CVE-2019-16335 - Deserialization of Untrusted Data vulnerability in multiple products

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Vulnerable Configurations

Part	Description	Count
Application	Fasterxml Fasterxml Jackson Databind 2.9.0 Fasterxml Jackson Databind 2.9.1 Fasterxml Jackson Databind 2.9.2 Fasterxml Jackson Databind 2.9.3 Fasterxml Jackson Databind 2.9.4 Fasterxml Jackson Databind 2.9.5 Fasterxml Jackson Databind 2.9.6 Fasterxml Jackson Databind 2.9.7 Fasterxml Jackson Databind 2.9.8 Fasterxml Jackson Databind 2.9.9 Fasterxml Jackson Databind 2.9.9.1 Fasterxml Jackson Databind 2.9.9.2 Fasterxml Jackson Databind 2.9.9.3 Fasterxml Jackson Databind 2.9.9.4 Fasterxml Jackson Databind 2.0.0 Fasterxml Jackson Databind 2.0.1 Fasterxml Jackson Databind 2.0.2 Fasterxml Jackson Databind 2.0.4 Fasterxml Jackson Databind 2.0.5 Fasterxml Jackson Databind 2.0.6 Fasterxml Jackson Databind 2.1.0 Fasterxml Jackson Databind 2.1.1 Fasterxml Jackson Databind 2.1.2 Fasterxml Jackson Databind 2.1.3 Fasterxml Jackson Databind 2.1.4 Fasterxml Jackson Databind 2.1.5 Fasterxml Jackson Databind 2.2.0 Fasterxml Jackson Databind 2.2.1 Fasterxml Jackson Databind 2.2.2 Fasterxml Jackson Databind 2.2.3 Fasterxml Jackson Databind 2.2.4 Fasterxml Jackson Databind 2.3.0 Fasterxml Jackson Databind 2.3.1 Fasterxml Jackson Databind 2.3.2 Fasterxml Jackson Databind 2.3.3 Fasterxml Jackson Databind 2.3.4 Fasterxml Jackson Databind 2.3.5 Fasterxml Jackson Databind 2.4.0 Fasterxml Jackson Databind 2.4.1 Fasterxml Jackson Databind 2.4.1.1 Fasterxml Jackson Databind 2.4.1.2 Fasterxml Jackson Databind 2.4.1.3 Fasterxml Jackson Databind 2.4.2 Fasterxml Jackson Databind 2.4.3 Fasterxml Jackson Databind 2.4.4 Fasterxml Jackson Databind 2.4.5 Fasterxml Jackson Databind 2.4.5.1 Fasterxml Jackson Databind 2.4.6 Fasterxml Jackson Databind 2.4.6.1 Fasterxml Jackson Databind 2.5.0 Fasterxml Jackson Databind 2.5.1 Fasterxml Jackson Databind 2.5.2 Fasterxml Jackson Databind 2.5.3 Fasterxml Jackson Databind 2.5.4 Fasterxml Jackson Databind 2.5.5 Fasterxml Jackson Databind 2.6.0 Fasterxml Jackson Databind 2.6.1 Fasterxml Jackson Databind 2.6.2 Fasterxml Jackson Databind 2.6.3 Fasterxml Jackson Databind 2.6.4 Fasterxml Jackson Databind 2.6.5 Fasterxml Jackson Databind 2.6.6 Fasterxml Jackson Databind 2.6.7 Fasterxml Jackson Databind 2.6.7.1 Fasterxml Jackson Databind 2.6.7.2 Fasterxml Jackson Databind 2.7.0 Fasterxml Jackson Databind 2.7.1 Fasterxml Jackson Databind 2.7.1-1 Fasterxml Jackson Databind 2.7.2 Fasterxml Jackson Databind 2.7.3 Fasterxml Jackson Databind 2.7.4 Fasterxml Jackson Databind 2.7.5 Fasterxml Jackson Databind 2.7.6 Fasterxml Jackson Databind 2.7.7 Fasterxml Jackson Databind 2.7.8 Fasterxml Jackson Databind 2.7.9 Fasterxml Jackson Databind 2.7.9.1 Fasterxml Jackson Databind 2.7.9.2 Fasterxml Jackson Databind 2.7.9.3 Fasterxml Jackson Databind 2.7.9.4 Fasterxml Jackson Databind 2.7.9.5 Fasterxml Jackson Databind 2.7.9.6 Fasterxml Jackson Databind 2.7.9.7 Fasterxml Jackson Databind 2.8.0 Fasterxml Jackson Databind 2.8.1 Fasterxml Jackson Databind 2.8.2 Fasterxml Jackson Databind 2.8.3 Fasterxml Jackson Databind 2.8.4 Fasterxml Jackson Databind 2.8.5 Fasterxml Jackson Databind 2.8.6 Fasterxml Jackson Databind 2.8.7 Fasterxml Jackson Databind 2.8.8 Fasterxml Jackson Databind 2.8.8.1 Fasterxml Jackson Databind 2.8.9 Fasterxml Jackson Databind 2.8.10 Fasterxml Jackson Databind 2.8.11 Fasterxml Jackson Databind 2.8.11.1 Fasterxml Jackson Databind 2.8.11.2 Fasterxml Jackson Databind 2.8.11.3 Fasterxml Jackson Databind 2.8.11.4	130
Application	Netapp Netapp Steelstore Cloud Integrated Storage - Netapp Oncommand Workflow Automation - Netapp Oncommand API Services -	3
Application	Redhat Redhat Jboss Enterprise Application Platform 7.2 Redhat Jboss Enterprise Application Platform 7.3	2
Application	Oracle Oracle Retail Xstore Point OF Service 15.0 Oracle Retail Xstore Point OF Service 7.1 Oracle Retail Xstore Point OF Service 16.0 Oracle Retail Xstore Point OF Service 17.0 Oracle Retail Xstore Point OF Service 18.0 Oracle Banking Platform 2.4.0 Oracle Banking Platform 2.4.1 Oracle Banking Platform 2.5.0 Oracle Banking Platform 2.6.0 Oracle Banking Platform 2.6.1 Oracle Banking Platform 2.7.0 Oracle Banking Platform 2.7.1 Oracle Primavera Gateway 16.1 Oracle Primavera Gateway 16.2 Oracle Primavera Gateway 15.2 Oracle Primavera Gateway 17.7 Oracle Primavera Gateway 17.12 Oracle Primavera Gateway 18.8.0 Oracle Weblogic Server 12.2.1.3.0 Oracle Retail Customer Management AND Segmentation Foundation 17.0 Oracle Global Lifecycle Management Opatch * Oracle Global Lifecycle Management Opatch 12.2.0.1.0 Oracle Global Lifecycle Management Opatch 13.9.4.0.0 Oracle Goldengate Application Adapters 19.1.0.0.0 Oracle Customer Management AND Segmentation Foundation 18.0 Oracle Goldengate Stream Analytics - Oracle Financial Services Analytical Applications Infrastructure 8.0.2 Oracle Financial Services Analytical Applications Infrastructure 8.0.2.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.2.1.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.2.2.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.3 Oracle Financial Services Analytical Applications Infrastructure 8.0.3.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.3.1.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.3.2.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.3.3.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.4 Oracle Financial Services Analytical Applications Infrastructure 8.0.4.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.4.1.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.4.2.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.4.3.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.4.4.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.4.5.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.5 Oracle Financial Services Analytical Applications Infrastructure 8.0.5.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.5.0.1 Oracle Financial Services Analytical Applications Infrastructure 8.0.5.1.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.5.2.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.5.3.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.5.4.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.6 Oracle Financial Services Analytical Applications Infrastructure 8.0.6.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.6.0.1 Oracle Financial Services Analytical Applications Infrastructure 8.0.6.1.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.6.2.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.6.3.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.6.4.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.7 Oracle Financial Services Analytical Applications Infrastructure 8.0.7.0.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.7.1.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.7.2.0 Oracle Financial Services Analytical Applications Infrastructure 8.0.8	61
OS	Fedoraproject Fedoraproject Fedora 30 Fedoraproject Fedora 31	2
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 9.0 Debian Debian Linux 10.0	3
OS	Redhat Redhat Enterprise Linux 6.0 Redhat Enterprise Linux 7.0 Redhat Enterprise Linux 8.0	3

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0160.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
last seen	2020-06-01
modified	2020-06-02
plugin id	133157
published	2020-01-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133157
title	RHEL 7 : JBoss EAP (RHSA-2020:0160)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0160. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133157); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"); script_xref(name:"RHSA", value:"2020:0160"); script_name(english:"RHEL 7 : JBoss EAP (RHSA-2020:0160)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) * jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0160" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-10219" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14540" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14885" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14888" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14892" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14893" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16335" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16869" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16942" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16943" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17531" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0160"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-java-jdk11-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-java-jdk8-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc"); } }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0159.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
last seen	2020-06-01
modified	2020-06-02
plugin id	133156
published	2020-01-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133156
title	RHEL 6 : JBoss EAP (RHSA-2020:0159)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0159. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133156); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"); script_xref(name:"RHSA", value:"2020:0159"); script_name(english:"RHEL 6 : JBoss EAP (RHSA-2020:0159)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) * jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0159" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-10219" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14540" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14885" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14888" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14892" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14893" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16335" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16869" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16942" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16943" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17531" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0159"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL6", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc"); } }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0161.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
last seen	2020-06-01
modified	2020-06-02
plugin id	133158
published	2020-01-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133158
title	RHEL 8 : JBoss EAP (RHSA-2020:0161)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0161. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133158); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"); script_xref(name:"RHSA", value:"2020:0161"); script_name(english:"RHEL 8 : JBoss EAP (RHSA-2020:0161)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) * jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0161" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-10219" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14540" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14885" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14888" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14892" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14893" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16335" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16869" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16942" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16943" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17531" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 8.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0161"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL8", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc"); } }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1943.NASL
description	More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	129539
published	2019-10-03
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129539
title	Debian DLA-1943-1 : jackson-databind security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1943-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(129539); script_version("1.3"); script_cvs_date("Date: 2019/12/23"); script_cve_id("CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"); script_name(english:"Debian DLA-1943-1 : jackson-databind security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u9. We recommend that you upgrade your jackson-databind packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/jackson-databind" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libjackson2-databind-java", reference:"2.4.2-2+deb8u9")) flag++; if (deb_check(release:"8.0", prefix:"libjackson2-databind-java-doc", reference:"2.4.2-2+deb8u9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-1644.NASL
description	The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1644 advisory. - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-21
modified	2020-04-28
plugin id	136041
published	2020-04-28
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136041
title	RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1644. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(136041); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/20"); script_cve_id( "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17531" ); script_xref(name:"RHSA", value:"2020:1644"); script_name(english:"RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1644 advisory. - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1644"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-14540"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16335"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16942"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16943"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-17531"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1755831"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1755849"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1758187"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1758191"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1775293"); script_set_attribute(attribute:"solution", value: "Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17531"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(20, 200, 502); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-commons-collections"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-commons-lang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bea-stax-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:javassist"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:javassist-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ldapjdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ldapjdk-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-core-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-kra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-servlet-engine"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-symkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nss-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-pki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:relaxngDatatype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:resteasy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:slf4j"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:stax-ex"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcatjss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:velocity"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xalan-j2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xerces-j2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-apis"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xsom"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) \|\| 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); appstreams = { 'pki-deps:10.6': [ {'reference':'apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'}, {'reference':'jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'}, {'reference':'jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'}, {'reference':'jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8'}, {'reference':'jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8'}, {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'}, {'reference':'javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'}, {'reference':'pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'}, {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'}, {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'}, {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'}, {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'}, {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'}, {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'}, {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'}, {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'}, {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'}, {'reference':'relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'velocity-1.7-24.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c', 'release':'8'} ], 'pki-core:10.6': [ {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'}, {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'}, {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'}, {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'}, {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'}, {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'}, {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'}, {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'}, {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'}, {'reference':'ldapjdk-4.21.0-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'}, {'reference':'ldapjdk-javadoc-4.21.0-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'}, {'reference':'pki-base-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-base-java-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-ca-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'}, {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'}, {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'}, {'reference':'pki-kra-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-server-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'}, {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'}, {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'}, {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'}, {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'}, {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'}, {'reference':'python3-pki-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'tomcatjss-7.4.1-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'} ], }; flag = 0; appstreams_found = 0; foreach module (keys(appstreams)) { appstream = NULL; appstream_name = NULL; appstream_version = NULL; appstream_split = split(module, sep:':', keep:FALSE); if (!empty_or_null(appstream_split)) { appstream_name = appstream_split[0]; appstream_version = appstream_split[1]; appstream = get_kb_item('Host/RedHat/appstream/' + appstream_name); } if (!empty_or_null(appstream) && appstream_version == appstream \|\| appstream_name == 'all') { appstreams_found++; foreach package_array ( appstreams[module] ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++; } } } } if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module pki-core:10.6 / pki-deps:10.6'); if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-collections / apache-commons-lang / bea-stax-api / etc'); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-B171554877.NASL
description	- Update jackson-parent to version 2.10. - Update jackson-bom to version 2.10.0. - Update jackson-annotations to version 2.10.0. - Update jackson-core to version 2.10.0. - Update jackson-databind to version 2.10.0. Resolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	129833
published	2019-10-14
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129833
title	Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-b171554877. # include("compat.inc"); if (description) { script_id(129833); script_version("1.3"); script_cvs_date("Date: 2019/12/19"); script_cve_id("CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"); script_xref(name:"FEDORA", value:"2019-b171554877"); script_name(english:"Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: " - Update jackson-parent to version 2.10. - Update jackson-bom to version 2.10.0. - Update jackson-annotations to version 2.10.0. - Update jackson-core to version 2.10.0. - Update jackson-databind to version 2.10.0. Resolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-b171554877" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-bom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-parent"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"jackson-annotations-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-bom-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-core-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-databind-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-parent-2.10-1.fc30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc"); }

NASL family	CGI abuses
NASL id	ORACLE_PRIMAVERA_UNIFIER_CPU_JAN_2020.NASL
description	According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to 17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to 19.12.0.1. It is, therefore, affected by multiple vulnerabilities: - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 used in Primavera Unifier. (CVE-2019-14540) - A memory exhaustion flaw exists in Apache Tika
last seen	2020-05-08
modified	2020-01-30
plugin id	133359
published	2020-01-30
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133359
title	Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(133359); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06"); script_cve_id( "CVE-2014-3596", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-10088", "CVE-2019-10093", "CVE-2019-10094", "CVE-2019-12415", "CVE-2019-14540", "CVE-2019-16335" ); script_bugtraq_id(107867); script_xref(name:"IAVA", value:"2020-A-0140"); script_name(english:"Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.1.x or 16.2.x prior to 16.2.16.0, or 17.7.x through 17.12.x prior to 17.12.11.2, or 18.8.x prior to 18.8.15, or 19.12.x prior to 19.12.0.1. It is, therefore, affected by multiple vulnerabilities: - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 used in Primavera Unifier. (CVE-2019-14540) - A memory exhaustion flaw exists in Apache Tika's RecursiveParserWrapper versions 1.7 - 1.21 used in Primavera Unifier. (CVE-2019-10088) - A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue. (CVE-2019-0227) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=325111950546185&id=2620236.1&_afrWindowMode=0&_adf.ctrl-state=nxv3x2076_4 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b244b132"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle Primavera Unifier version 16.2.16.0 / 17.12.11.2 / 18.8.15 / 19.12.0.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14540"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/30"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_unifier"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_unifier.nbin"); script_require_keys("installed_sw/Oracle Primavera Unifier", "www/weblogic"); script_require_ports("Services/www", 8002); exit(0); } include('http.inc'); include('vcf.inc'); get_install_count(app_name:'Oracle Primavera Unifier', exit_if_zero:TRUE); port = get_http_port(default:8002); get_kb_item_or_exit('www/weblogic/' + port + '/installed'); app_info = vcf::get_app_info(app:'Oracle Primavera Unifier', port:port); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { 'min_version' : '16.1', 'fixed_version' : '16.2.16.0' }, { 'min_version' : '17.7', 'fixed_version' : '17.12.11.2' }, { 'min_version' : '18.8', 'fixed_version' : '18.8.15' }, { 'min_version' : '19.12', 'fixed_version' : '19.12.0.1' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

NASL family	CGI abuses
NASL id	ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2020.NASL
description	According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is, therefore, affected by multiple vulnerabilities, including the following: - Two Polymorphic Typing issues present in FasterXML jackson-databind related to com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers. (CVE-2019-16335, CVE-2019-14540) - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that the server hostname matches a domain name in the subject
last seen	2020-05-08
modified	2020-01-15
plugin id	132936
published	2020-01-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132936
title	Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(132936); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06"); script_cve_id( "CVE-2014-3596", "CVE-2015-9251", "CVE-2018-8032", "CVE-2019-0227", "CVE-2019-11358", "CVE-2019-12415", "CVE-2019-14540", "CVE-2019-16335" ); script_bugtraq_id( 69295, 105658, 107867, 108023 ); script_xref(name:"IAVA", value:"2020-A-0140"); script_name(english:"Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is 15.x prior to 15.2.18, 16.x prior to 16.2.11, 17.x prior to 17.12.6, or 18.x prior to 18.8.8.1. It is, therefore, affected by multiple vulnerabilities, including the following: - Two Polymorphic Typing issues present in FasterXML jackson-databind related to com.zaxxer.hikari.HikariDataSource which can be exploited by remote, unauthenticated attackers. (CVE-2019-16335, CVE-2019-14540) - A man-in-the-middle vulnerability caused by the getCN function in Apache Axis not properly verifying that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. An unauthenticated, remote attacker can exploit this to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not a CN field. (CVE-2014-3596) - A Server Side Request Forgery (SSRF) vulnerability in Apache Axis that can be exploited by an unauthenticated, remote attacker. (CVE-2019-0227) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2020.html#AppendixPVA"); script_set_attribute(attribute:"see_also", value:"https://support.oracle.com/rs?type=doc&id=2620236.1"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle Primavera Gateway version 15.2.18 / 16.2.11 / 17.12.6 / 18.8.8.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16335"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/08/26"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_gateway"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_gateway.nbin"); script_require_keys("installed_sw/Oracle Primavera Gateway"); script_require_ports("Services/www", 8006); exit(0); } include('http.inc'); include('vcf.inc'); get_install_count(app_name:'Oracle Primavera Gateway', exit_if_zero:TRUE); port = get_http_port(default:8006); app_info = vcf::get_app_info(app:'Oracle Primavera Gateway', port:port); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { 'min_version' : '15.0.0', 'fixed_version' : '15.2.18' }, { 'min_version' : '16.0.0', 'fixed_version' : '16.2.11' }, { 'min_version' : '17.0.0', 'fixed_version' : '17.12.6' }, { 'min_version' : '18.0.0', 'fixed_version' : '18.8.8.1' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE});

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4542.NASL
description	It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.
last seen	2020-06-01
modified	2020-06-02
plugin id	129597
published	2019-10-07
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129597
title	Debian DSA-4542-1 : jackson-databind - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4542. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(129597); script_version("1.3"); script_cvs_date("Date: 2019/12/23"); script_cve_id("CVE-2019-12384", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"); script_xref(name:"DSA", value:"4542"); script_name(english:"Debian DSA-4542-1 : jackson-databind - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941530" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940498" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933393" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750" ); # https://security-tracker.debian.org/tracker/source-package/jackson-databind script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?61134ddf" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/jackson-databind" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/jackson-databind" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4542" ); script_set_attribute( attribute:"solution", value: "Upgrade the jackson-databind packages. For the oldstable distribution (stretch), these problems have been fixed in version 2.8.6-1+deb9u6. For the stable distribution (buster), these problems have been fixed in version 2.9.8-3+deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:jackson-databind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/24"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"libjackson2-databind-java", reference:"2.9.8-3+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libjackson2-databind-java-doc", reference:"2.9.8-3+deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"libjackson2-databind-java", reference:"2.8.6-1+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"libjackson2-databind-java-doc", reference:"2.8.6-1+deb9u6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

Redhat

advisories

rhsa
id RHSA-2019:3200
rhsa
id RHSA-2020:0159
rhsa
id RHSA-2020:0160
rhsa
id RHSA-2020:0161
rhsa
id RHSA-2020:0164
rhsa
id RHSA-2020:0445
rhsa
id RHSA-2020:0729

rpms

eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el6eap
eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el6eap
eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el6eap
eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el6eap
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el6eap
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el6eap
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el6eap
eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el6eap
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el6eap
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el6eap
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el6eap
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el6eap
eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el6eap
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el6eap
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el6eap
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el6eap
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el6eap
eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el6eap
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el6eap
eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el6eap
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el6eap
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el6eap
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el6eap
eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el6eap
eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el6eap
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el6eap
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el7eap
eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el7eap
eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el7eap
eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el7eap
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el7eap
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el7eap
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el7eap
eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el7eap
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el7eap
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el7eap
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el7eap
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el7eap
eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el7eap
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el7eap
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el7eap
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el7eap
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el7eap
eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el7eap
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el7eap
eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el7eap
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el7eap
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el7eap
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-java-jdk11-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-java-jdk8-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el8eap
eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el8eap
eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el8eap
eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el8eap
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el8eap
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el8eap
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el8eap
eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el8eap
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el8eap
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el8eap
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el8eap
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el8eap
eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el8eap
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el8eap
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el8eap
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el8eap
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el8eap
eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el8eap
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el8eap
eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el8eap
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el8eap
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el8eap
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el8eap
eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el8eap
eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el8eap
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap
apache-commons-collections-0:3.2.2-10.module+el8.1.0+3366+6dfb954c
apache-commons-lang-0:2.6-21.module+el8.1.0+3366+6dfb954c
bea-stax-api-0:1.2.0-16.module+el8.1.0+3366+6dfb954c
glassfish-fastinfoset-0:1.2.13-9.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-api-0:2.2.12-8.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-core-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-runtime-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-txw2-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
jackson-annotations-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-core-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-databind-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-jaxrs-json-provider-0:2.9.9-1.module+el8.1.0+3832+9784644d
jackson-jaxrs-providers-0:2.9.9-1.module+el8.1.0+3832+9784644d
jackson-module-jaxb-annotations-0:2.7.6-4.module+el8.1.0+3366+6dfb954c
jakarta-commons-httpclient-1:3.1-28.module+el8.1.0+3366+6dfb954c
javassist-0:3.18.1-8.module+el8.1.0+3366+6dfb954c
javassist-javadoc-0:3.18.1-8.module+el8.1.0+3366+6dfb954c
jss-0:4.6.2-4.module+el8.2.0+6123+b4678599
jss-debuginfo-0:4.6.2-4.module+el8.2.0+6123+b4678599
jss-debugsource-0:4.6.2-4.module+el8.2.0+6123+b4678599
jss-javadoc-0:4.6.2-4.module+el8.2.0+6123+b4678599
ldapjdk-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b
ldapjdk-javadoc-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b
pki-base-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-base-java-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-ca-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-core-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-core-debugsource-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-kra-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-server-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-servlet-4.0-api-1:9.0.7-16.module+el8.1.0+3366+6dfb954c
pki-servlet-engine-1:9.0.7-16.module+el8.1.0+3366+6dfb954c
pki-symkey-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-symkey-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-tools-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-tools-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
python-nss-debugsource-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python-nss-doc-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python3-nss-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python3-nss-debuginfo-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python3-pki-0:10.8.3-1.module+el8.2.0+5925+bad5981a
relaxngDatatype-0:2011.1-7.module+el8.1.0+3366+6dfb954c
resteasy-0:3.0.26-3.module+el8.1.0+3366+6dfb954c
slf4j-0:1.7.25-4.module+el8.1.0+3366+6dfb954c
slf4j-jdk14-0:1.7.25-4.module+el8.1.0+3366+6dfb954c
stax-ex-0:1.7.7-8.module+el8.1.0+3366+6dfb954c
tomcatjss-0:7.4.1-2.module+el8.2.0+4573+c3c38c7b
velocity-0:1.7-24.module+el8.1.0+3366+6dfb954c
xalan-j2-0:2.7.1-38.module+el8.1.0+3366+6dfb954c
xerces-j2-0:2.11.0-34.module+el8.1.0+3366+6dfb954c
xml-commons-apis-0:1.4.01-25.module+el8.1.0+3366+6dfb954c
xml-commons-resolver-0:1.2-26.module+el8.1.0+3366+6dfb954c
xmlstreambuffer-0:1.5.4-8.module+el8.1.0+3366+6dfb954c
xsom-0:0-19.20110809svn.module+el8.1.0+3366+6dfb954c

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References