Vulnerabilities > CVE-2019-16943 - Deserialization of Untrusted Data vulnerability in multiple products

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Vulnerable Configurations

Part	Description	Count
Application	Fasterxml Fasterxml Jackson Databind 2.9.0 Fasterxml Jackson Databind 2.9.1 Fasterxml Jackson Databind 2.9.2 Fasterxml Jackson Databind 2.9.3 Fasterxml Jackson Databind 2.9.4 Fasterxml Jackson Databind 2.9.5 Fasterxml Jackson Databind 2.9.6 Fasterxml Jackson Databind 2.9.7 Fasterxml Jackson Databind 2.9.8 Fasterxml Jackson Databind 2.9.9 Fasterxml Jackson Databind 2.9.9.1 Fasterxml Jackson Databind 2.9.9.2 Fasterxml Jackson Databind 2.9.9.3 Fasterxml Jackson Databind 2.9.9.4 Fasterxml Jackson Databind 2.9.10 Fasterxml Jackson Databind 2.0.0 Fasterxml Jackson Databind 2.0.1 Fasterxml Jackson Databind 2.0.2 Fasterxml Jackson Databind 2.0.4 Fasterxml Jackson Databind 2.0.5 Fasterxml Jackson Databind 2.0.6 Fasterxml Jackson Databind 2.1.0 Fasterxml Jackson Databind 2.1.1 Fasterxml Jackson Databind 2.1.2 Fasterxml Jackson Databind 2.1.3 Fasterxml Jackson Databind 2.1.4 Fasterxml Jackson Databind 2.1.5 Fasterxml Jackson Databind 2.2.0 Fasterxml Jackson Databind 2.2.1 Fasterxml Jackson Databind 2.2.2 Fasterxml Jackson Databind 2.2.3 Fasterxml Jackson Databind 2.2.4 Fasterxml Jackson Databind 2.3.0 Fasterxml Jackson Databind 2.3.1 Fasterxml Jackson Databind 2.3.2 Fasterxml Jackson Databind 2.3.3 Fasterxml Jackson Databind 2.3.4 Fasterxml Jackson Databind 2.3.5 Fasterxml Jackson Databind 2.4.0 Fasterxml Jackson Databind 2.4.1 Fasterxml Jackson Databind 2.4.1.1 Fasterxml Jackson Databind 2.4.1.2 Fasterxml Jackson Databind 2.4.1.3 Fasterxml Jackson Databind 2.4.2 Fasterxml Jackson Databind 2.4.3 Fasterxml Jackson Databind 2.4.4 Fasterxml Jackson Databind 2.4.5 Fasterxml Jackson Databind 2.4.5.1 Fasterxml Jackson Databind 2.4.6 Fasterxml Jackson Databind 2.4.6.1 Fasterxml Jackson Databind 2.5.0 Fasterxml Jackson Databind 2.5.1 Fasterxml Jackson Databind 2.5.2 Fasterxml Jackson Databind 2.5.3 Fasterxml Jackson Databind 2.5.4 Fasterxml Jackson Databind 2.5.5 Fasterxml Jackson Databind 2.6.0 Fasterxml Jackson Databind 2.6.1 Fasterxml Jackson Databind 2.6.2 Fasterxml Jackson Databind 2.6.3 Fasterxml Jackson Databind 2.6.4 Fasterxml Jackson Databind 2.6.5 Fasterxml Jackson Databind 2.6.6 Fasterxml Jackson Databind 2.6.7 Fasterxml Jackson Databind 2.6.7.1 Fasterxml Jackson Databind 2.6.7.2 Fasterxml Jackson Databind 2.7.0 Fasterxml Jackson Databind 2.7.1 Fasterxml Jackson Databind 2.7.1-1 Fasterxml Jackson Databind 2.7.2 Fasterxml Jackson Databind 2.7.3 Fasterxml Jackson Databind 2.7.4 Fasterxml Jackson Databind 2.7.5 Fasterxml Jackson Databind 2.7.6 Fasterxml Jackson Databind 2.7.7 Fasterxml Jackson Databind 2.7.8 Fasterxml Jackson Databind 2.7.9 Fasterxml Jackson Databind 2.7.9.1 Fasterxml Jackson Databind 2.7.9.2 Fasterxml Jackson Databind 2.7.9.3 Fasterxml Jackson Databind 2.7.9.4 Fasterxml Jackson Databind 2.7.9.5 Fasterxml Jackson Databind 2.7.9.6 Fasterxml Jackson Databind 2.7.9.7 Fasterxml Jackson Databind 2.8.0 Fasterxml Jackson Databind 2.8.1 Fasterxml Jackson Databind 2.8.2 Fasterxml Jackson Databind 2.8.3 Fasterxml Jackson Databind 2.8.4 Fasterxml Jackson Databind 2.8.5 Fasterxml Jackson Databind 2.8.6 Fasterxml Jackson Databind 2.8.7 Fasterxml Jackson Databind 2.8.8 Fasterxml Jackson Databind 2.8.8.1 Fasterxml Jackson Databind 2.8.9 Fasterxml Jackson Databind 2.8.10 Fasterxml Jackson Databind 2.8.11 Fasterxml Jackson Databind 2.8.11.1 Fasterxml Jackson Databind 2.8.11.2 Fasterxml Jackson Databind 2.8.11.3 Fasterxml Jackson Databind 2.8.11.4	131
Application	Redhat Redhat Jboss Enterprise Application Platform 7.2 Redhat Jboss Enterprise Application Platform 7.3	2
Application	Oracle Oracle Banking Platform 2.4.0 Oracle Banking Platform 2.4.1 Oracle Banking Platform 2.5.0 Oracle Banking Platform 2.6.0 Oracle Banking Platform 2.6.1 Oracle Banking Platform 2.6.2 Oracle Banking Platform 2.7.0 Oracle Banking Platform 2.7.1 Oracle Banking Platform 2.9.0 Oracle JD Edwards Enterpriseone Tools 9.2 Oracle Primavera Gateway 16.1 Oracle Primavera Gateway 16.2 Oracle Primavera Gateway 19.12.0 Oracle Primavera Gateway 18.8.0 Oracle Primavera Gateway 18.8.8 Oracle Primavera Gateway 17.7 Oracle Primavera Gateway 17.12 Oracle Primavera Gateway 17.12.0 Oracle Primavera Gateway 17.12.6 Oracle Weblogic Server 12.2.1.3.0 Oracle Weblogic Server 12.2.1.4.0 Oracle Webcenter Portal 12.2.1.3.0 Oracle Webcenter Portal 12.2.1.4.0 Oracle Webcenter Sites 12.2.1.3.0 Oracle Webcenter Sites 12.2.1.4.0 Oracle JD Edwards Enterpriseone Orchestrator 9.2 Oracle Communications Billing AND Revenue Management 12.0.0.3.0 Oracle Communications Billing AND Revenue Management 7.5.0.23.0 Oracle Trace File Analyzer 19C Oracle Trace File Analyzer 18C Oracle Trace File Analyzer 12.2.0.1 Oracle Siebel Engineering Installer & Deployment - Oracle Siebel Engineering Installer & Deployment 2.1.1 Oracle Siebel Engineering Installer & Deployment 2.20.5 Oracle Retail Sales Audit 14.1 Oracle Retail Merchandising System 15.0.3 Oracle Retail Merchandising System 16.0.2 Oracle Retail Merchandising System 16.0.3 Oracle Global Lifecycle Management Nextgen OUI Framework 13.9.4.2.2 Oracle Global Lifecycle Management Nextgen OUI Framework 12.2.1.4.0 Oracle Global Lifecycle Management Nextgen OUI Framework 12.2.1.3.0 Oracle Communications Evolved Communications Application Server 7.1 Oracle Communications Calendar Server 8.0.0.3.0 Oracle Communications Calendar Server 8.0.0.2.0 Oracle Goldengate Application Adapters 19.1.0.0.0 Oracle Communications Cloud Native Core Network Slice Selection Function 1.2.1	46
Application	Netapp Netapp Steelstore Cloud Integrated Storage - Netapp Oncommand Workflow Automation - Netapp Service Level Manager - Netapp Oncommand API Services - Netapp Active IQ Unified Manager 7.3 Netapp Active IQ Unified Manager 9.5 Netapp Active IQ Unified Manager 9.6 Netapp Active IQ Unified Manager 9.10 Netapp Active IQ Unified Manager 9.11P1	15
OS	Debian Debian Debian Linux 8.0 Debian Debian Linux 9.0 Debian Debian Linux 10.0	3
OS	Fedoraproject Fedoraproject Fedora 30 Fedoraproject Fedora 31	2
OS	Redhat Redhat Enterprise Linux Server 6.0 Redhat Enterprise Linux Server 7.0 Redhat Enterprise Linux Server 8.0	3

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0160.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
last seen	2020-06-01
modified	2020-06-02
plugin id	133157
published	2020-01-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133157
title	RHEL 7 : JBoss EAP (RHSA-2020:0160)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0160. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133157); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"); script_xref(name:"RHSA", value:"2020:0160"); script_name(english:"RHEL 7 : JBoss EAP (RHSA-2020:0160)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) * jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0160" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-10219" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14540" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14885" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14888" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14892" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14893" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16335" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16869" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16942" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16943" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17531" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk11"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-java-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0160"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL7", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-java-jdk11-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-java-jdk8-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el7")) flag++; if (rpm_check(release:"RHEL7", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc"); } }

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0159.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
last seen	2020-06-01
modified	2020-06-02
plugin id	133156
published	2020-01-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133156
title	RHEL 6 : JBoss EAP (RHSA-2020:0159)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0159. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133156); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"); script_xref(name:"RHSA", value:"2020:0159"); script_name(english:"RHEL 6 : JBoss EAP (RHSA-2020:0159)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) * jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0159" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-10219" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14540" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14885" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14888" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14892" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14893" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16335" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16869" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16942" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16943" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17531" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0159"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL6", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc"); } }

NASL family	CGI abuses
NASL id	ORACLE_PRIMAVERA_GATEWAY_CPU_APR_2020.NASL
description	The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by the following vulnerabilities as referenced in the April 2020 CPU advisory: - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. However, this characteristic of the PropertyUtilsBean was not used by default. (CVE-2019-10086) - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402) - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943) - Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. (CVE-2019-17195) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-08
modified	2020-04-15
plugin id	135583
published	2020-04-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135583
title	Oracle Primavera Gateway (Apr 2020 CPU)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135583); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06"); script_cve_id( "CVE-2019-10086", "CVE-2019-12402", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17195", "CVE-2019-17531" ); script_xref(name:"IAVA", value:"2020-A-0140"); script_name(english:"Oracle Primavera Gateway (Apr 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by the following vulnerabilities as referenced in the April 2020 CPU advisory: - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. However, this characteristic of the PropertyUtilsBean was not used by default. (CVE-2019-10086) - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402) - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943) - Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. (CVE-2019-17195) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16943"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_gateway"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_gateway.nbin"); script_require_keys("installed_sw/Oracle Primavera Gateway"); script_require_ports("Services/www", 8006); exit(0); } include('http.inc'); include('vcf.inc'); get_install_count(app_name:'Oracle Primavera Gateway', exit_if_zero:TRUE); port = get_http_port(default:8006); app_info = vcf::get_app_info(app:'Oracle Primavera Gateway', port:port); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { 'min_version' : '16.2.0', 'max_version' : '16.2.11', 'fixed_display' : 'Upgrade to the latest version or contact customer support for more information.' }, { 'min_version' : '17.12.0', 'fixed_version' : '17.12.7' }, { 'min_version' : '18.8.0', 'fixed_version' : '18.8.8.9' }, { 'min_version' : '19.12.0', 'fixed_version' : '19.12.4' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0161.NASL
description	An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI
last seen	2020-06-01
modified	2020-06-02
plugin id	133158
published	2020-01-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133158
title	RHEL 8 : JBoss EAP (RHSA-2020:0161)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:0161. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(133158); script_version("1.2"); script_cvs_date("Date: 2020/01/24"); script_cve_id("CVE-2019-10219", "CVE-2019-14540", "CVE-2019-14885", "CVE-2019-14888", "CVE-2019-14892", "CVE-2019-14893", "CVE-2019-16335", "CVE-2019-16869", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17267", "CVE-2019-17531"); script_xref(name:"RHSA", value:"2020:0161"); script_name(english:"RHEL 8 : JBoss EAP (RHSA-2020:0161)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es) : * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * jackson-databind: Serialization gadgets in classes of the commons-dbcp package (CVE-2019-16942) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in classes of the p6spy package (CVE-2019-16943) * jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution (CVE-2019-17531) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0161" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-10219" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14540" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14885" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14888" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14892" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-14893" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16335" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16869" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16942" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-16943" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17267" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2019-17531" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-services"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-apache-cxf-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-glassfish-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hal-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-entitymanager"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-envers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-hibernate-validator-cdi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-binary"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-dataformats-text"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jdk8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-datatype-jsr310"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jackson-modules-java8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jberet-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-jsf-api_2.3_spec"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap6.4-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly10.1-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly11.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly12.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly13.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly14.0-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly8.2-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-server-migration-wildfly9.0-to-eap7.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-jboss-xnio-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-netty-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-bindings"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-picketlink-wildfly8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-undertow-jastow"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-impl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-core-jsf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-ejb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-jta"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-probe-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-weld-web"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-client-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-ejb-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-naming-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-http-transaction-client"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-javadocs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:eap7-wildfly-transaction-client"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 8.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2020:0161"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (! (rpm_exists(release:"RHEL8", rpm:"eap7-jboss"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP"); if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-rt-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-services-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-apache-cxf-tools-3.2.11-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-glassfish-jsf-2.3.5-6.SP3_redhat_00004.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hal-console-3.0.19-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-core-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-entitymanager-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-envers-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-java8-5.3.14-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-validator-6.0.18-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-hibernate-validator-cdi-6.0.18-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-annotations-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-core-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-databind-2.9.10.1-1.redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-dataformats-binary-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-dataformats-text-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-datatype-jdk8-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-datatype-jsr310-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-jaxrs-base-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-jaxrs-json-provider-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-module-jaxb-annotations-2.9.10-2.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-modules-base-2.9.10-2.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jackson-modules-java8-2.9.10-1.redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jberet-1.3.5-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jberet-core-1.3.5-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-ejb-client-4.0.27-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-jsf-api_2.3_spec-2.3.5-3.SP2_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-cli-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-core-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap6.4-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.1-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.1-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly11.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly12.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly13.0-server-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly14.0-server-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly8.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly9.0-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-7.Final_redhat_00007.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-jboss-xnio-base-3.7.6-3.SP2_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-netty-4.1.42-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-netty-all-4.1.42-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-picketlink-bindings-2.5.5-21.SP12_redhat_00010.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-picketlink-wildfly8-2.5.5-21.SP12_redhat_00010.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-undertow-2.0.28-2.SP1_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-undertow-jastow-2.0.8-1.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-impl-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-core-jsf-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-ejb-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-jta-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-probe-core-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-weld-web-3.0.6-3.Final_redhat_00003.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-7.2.6-5.GA_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-client-common-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-ejb-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-naming-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-http-transaction-client-1.0.18-2.Final_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-javadocs-7.2.6-5.GA_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-modules-7.2.6-5.GA_redhat_00001.1.el8")) flag++; if (rpm_check(release:"RHEL8", reference:"eap7-wildfly-transaction-client-1.1.8-1.Final_redhat_00001.1.el8")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "eap7-apache-cxf / eap7-apache-cxf-rt / eap7-apache-cxf-services / etc"); } }

NASL family	Misc.
NASL id	ORACLE_WEBLOGIC_SERVER_CPU_APR_2020.NASL
description	The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory. - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571) - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766) - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-2798) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-10
modified	2020-04-16
plugin id	135680
published	2020-04-16
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135680
title	Oracle WebLogic Server (Apr 2020 CPU)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135680); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/03"); script_cve_id( "CVE-2019-16943", "CVE-2019-17359", "CVE-2019-17571", "CVE-2020-2766", "CVE-2020-2798", "CVE-2020-2801", "CVE-2020-2811", "CVE-2020-2828", "CVE-2020-2829", "CVE-2020-2867", "CVE-2020-2869", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2963" ); script_xref(name:"IAVA", value:"2020-A-0153"); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory. - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. (CVE-2019-17571) - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766) - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-2798) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml"); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17571"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'WebLogic Server Deserialization RCE BadAttributeValueExpException ExtComp'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include('audit.inc'); include('install_func.inc'); app_name = 'Oracle WebLogic Server'; os = get_kb_item_or_exit('Host/OS'); if ('windows' >< tolower(os)) { port = get_kb_item('SMB/transport'); if (!port) port = 445; } else port = 0; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); version = install['version']; fix = NULL; fix_ver = NULL; if (version =~ "^12\.2\.1\.4($\|[^0-9])") { fix_ver = '12.2.1.4.200228'; fix = make_list('30970477', '30761841', '31101341'); } else if (version =~ "^12\.2\.1\.3($\|[^0-9])") { fix_ver = '12.2.1.3.200227'; fix = make_list('30965714'); } else if (version =~ "^12\.1\.3\.") { fix_ver = '12.1.3.0.200414'; fix = make_list('30857795'); } else if (version =~ "^10\.3\.6\.") { fix_ver = '10.3.6.0.200414'; fix = make_list('Q3ZB'); } if (isnull(fix_ver) \|\| ver_compare(ver:version, fix:fix_ver, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, install['path']); else { report = '\n Oracle Home : ' + install['Oracle Home'] + '\n Install path : ' + install['path'] + '\n Version : ' + version + '\n Fixes : ' + join(sep:', ', fix); security_report_v4(extra:report, severity:SECURITY_HOLE, port:port); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1943.NASL
description	More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	129539
published	2019-10-03
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129539
title	Debian DLA-1943-1 : jackson-databind security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1943-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(129539); script_version("1.3"); script_cvs_date("Date: 2019/12/23"); script_cve_id("CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"); script_name(english:"Debian DLA-1943-1 : jackson-databind security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8 'Jessie', these problems have been fixed in version 2.4.2-2+deb8u9. We recommend that you upgrade your jackson-databind packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/jackson-databind" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libjackson2-databind-java-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libjackson2-databind-java", reference:"2.4.2-2+deb8u9")) flag++; if (deb_check(release:"8.0", prefix:"libjackson2-databind-java-doc", reference:"2.4.2-2+deb8u9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-1644.NASL
description	The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1644 advisory. - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-21
modified	2020-04-28
plugin id	136041
published	2020-04-28
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136041
title	RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1644. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(136041); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/20"); script_cve_id( "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17531" ); script_xref(name:"RHSA", value:"2020:1644"); script_name(english:"RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:1644)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1644 advisory. - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/502.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/200.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/20.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1644"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-14540"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16335"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16942"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-16943"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-17531"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1755831"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1755849"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1758187"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1758191"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1775293"); script_set_attribute(attribute:"solution", value: "Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17531"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(20, 200, 502); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:enterprise_linux:8::appstream"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-commons-collections"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-commons-lang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bea-stax-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:javassist"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:javassist-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jss-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ldapjdk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ldapjdk-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-base-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-ca"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-core-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-kra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-servlet-engine"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-symkey"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pki-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nss-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-nss-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3-pki"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:relaxngDatatype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:resteasy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:slf4j"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:stax-ex"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:tomcatjss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:velocity"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xalan-j2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xerces-j2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-apis"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xsom"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) \|\| 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^8([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); appstreams = { 'pki-deps:10.6': [ {'reference':'apache-commons-collections-3.2.2-10.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'apache-commons-lang-2.6-21.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'bea-stax-api-1.2.0-16.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'jackson-annotations-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'}, {'reference':'jackson-core-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'}, {'reference':'jackson-databind-2.10.0-1.module+el8.2.0+5059+3eb3af25', 'release':'8'}, {'reference':'jackson-jaxrs-json-provider-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8'}, {'reference':'jackson-jaxrs-providers-2.9.9-1.module+el8.1.0+3832+9784644d', 'release':'8'}, {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'}, {'reference':'javassist-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'javassist-javadoc-3.18.1-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'pki-servlet-4.0-api-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'}, {'reference':'pki-servlet-engine-9.0.7-16.module+el8.1.0+3366+6dfb954c', 'release':'8', 'epoch':'1'}, {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'}, {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'}, {'reference':'python-nss-debugsource-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'}, {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'}, {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'}, {'reference':'python-nss-doc-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'}, {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'aarch64', 'release':'8'}, {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'s390x', 'release':'8'}, {'reference':'python3-nss-1.0.1-10.module+el8.1.0+3366+6dfb954c', 'cpu':'x86_64', 'release':'8'}, {'reference':'relaxngDatatype-2011.1-7.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'resteasy-3.0.26-3.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'slf4j-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'slf4j-jdk14-1.7.25-4.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'stax-ex-1.7.7-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'velocity-1.7-24.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xalan-j2-2.7.1-38.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xerces-j2-2.11.0-34.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xml-commons-apis-1.4.01-25.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xml-commons-resolver-1.2-26.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xmlstreambuffer-1.5.4-8.module+el8.1.0+3366+6dfb954c', 'release':'8'}, {'reference':'xsom-0-19.20110809svn.module+el8.1.0+3366+6dfb954c', 'release':'8'} ], 'pki-core:10.6': [ {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'}, {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'}, {'reference':'jss-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'}, {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'}, {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'}, {'reference':'jss-debugsource-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'}, {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'aarch64', 'release':'8'}, {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'s390x', 'release':'8'}, {'reference':'jss-javadoc-4.6.2-4.module+el8.2.0+6123+b4678599', 'cpu':'x86_64', 'release':'8'}, {'reference':'ldapjdk-4.21.0-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'}, {'reference':'ldapjdk-javadoc-4.21.0-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'}, {'reference':'pki-base-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-base-java-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-ca-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'}, {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'}, {'reference':'pki-core-debugsource-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'}, {'reference':'pki-kra-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-server-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'}, {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'}, {'reference':'pki-symkey-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'}, {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'aarch64', 'release':'8'}, {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'s390x', 'release':'8'}, {'reference':'pki-tools-10.8.3-1.module+el8.2.0+5925+bad5981a', 'cpu':'x86_64', 'release':'8'}, {'reference':'python3-pki-10.8.3-1.module+el8.2.0+5925+bad5981a', 'release':'8'}, {'reference':'tomcatjss-7.4.1-2.module+el8.2.0+4573+c3c38c7b', 'release':'8'} ], }; flag = 0; appstreams_found = 0; foreach module (keys(appstreams)) { appstream = NULL; appstream_name = NULL; appstream_version = NULL; appstream_split = split(module, sep:':', keep:FALSE); if (!empty_or_null(appstream_split)) { appstream_name = appstream_split[0]; appstream_version = appstream_split[1]; appstream = get_kb_item('Host/RedHat/appstream/' + appstream_name); } if (!empty_or_null(appstream) && appstream_version == appstream \|\| appstream_name == 'all') { appstreams_found++; foreach package_array ( appstreams[module] ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++; } } } } if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module pki-core:10.6 / pki-deps:10.6'); if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-collections / apache-commons-lang / bea-stax-api / etc'); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-B171554877.NASL
description	- Update jackson-parent to version 2.10. - Update jackson-bom to version 2.10.0. - Update jackson-annotations to version 2.10.0. - Update jackson-core to version 2.10.0. - Update jackson-databind to version 2.10.0. Resolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	129833
published	2019-10-14
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129833
title	Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-b171554877. # include("compat.inc"); if (description) { script_id(129833); script_version("1.3"); script_cvs_date("Date: 2019/12/19"); script_cve_id("CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"); script_xref(name:"FEDORA", value:"2019-b171554877"); script_name(english:"Fedora 30 : jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc (2019-b171554877)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: " - Update jackson-parent to version 2.10. - Update jackson-bom to version 2.10.0. - Update jackson-annotations to version 2.10.0. - Update jackson-core to version 2.10.0. - Update jackson-databind to version 2.10.0. Resolves CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-b171554877" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-annotations"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-bom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-databind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:jackson-parent"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"jackson-annotations-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-bom-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-core-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-databind-2.10.0-1.fc30")) flag++; if (rpm_check(release:"FC30", reference:"jackson-parent-2.10-1.fc30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jackson-annotations / jackson-bom / jackson-core / jackson-databind / etc"); }

NASL family	Windows
NASL id	ORACLE_WEBCENTER_SITES_APR_2020_CPU.NASL
description	Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - Component: Advanced UI (jQuery). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data (CVE-2019-11358). - Component: Sites (jackson-databind). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites (CVE-2019-16943). - Component: Advanced UI. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data (CVE-2020-2739 ).
last seen	2020-05-08
modified	2020-04-16
plugin id	135676
published	2020-04-16
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135676
title	Oracle WebCenter Sites Multiple Vulnerabilities (April 2020 CPU)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135676); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/24"); script_cve_id("CVE-2019-11358", "CVE-2019-16943", "CVE-2020-2739"); script_xref(name:"IAVA", value:"2020-A-0153"); script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (April 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application running on the remote host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - Component: Advanced UI (jQuery). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data as well as unauthorized read access to a subset of Oracle WebCenter Sites accessible data (CVE-2019-11358). - Component: Sites (jackson-databind). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites (CVE-2019-16943). - Component: Advanced UI. The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data (CVE-2020-2739)."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16943"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_webcenter_sites_installed.nbin", "oracle_enum_products_win.nbin"); script_require_keys("SMB/WebCenter_Sites/Installed"); exit(0); } include('oracle_rdbms_cpu_func.inc'); port = get_kb_item('SMB/transport'); if (isnull(port)) port = 445; get_kb_item_or_exit('SMB/WebCenter_Sites/Installed'); versions = get_kb_list('SMB/WebCenter_Sites/*/Version'); if (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.'); report = ''; # vulnerable versions: # - 12.2.1.3.0 - Revision 185862, Patch 29957990 # Note that the revision does not match up with the version suffix shown in the readme # # - 12.2.1.4.0 - Patch 31101341 # This patch does not change revision. Need to find specific patch foreach key (keys(versions)) { fix = ''; version = versions[key]; revision = get_kb_item(key - '/Version' + '/Revision'); path = get_kb_item(key - '/Version' + '/Path'); if (isnull(version) \|\| isnull(revision)) continue; # Patch 29957990 - 12.2.1.3.0 < Revision 185862 if (version =~ "^12\.2\.1\.3\.0$" && revision < 185862) { fix = '\n Fixed revision : 185862' + '\n Required patch : 29957990'; } # Patch 31101341 - 12.2.1.4.0 else if (version =~ "^12\.2\.1\.4\.0$") { # Revision check does not work. Must find specific patch patch = '31101341'; oracle_homes = query_scratchpad("SELECT path FROM oracle_homes"); if (!max_index(oracle_homes)) exit(1, 'Failed to get any Oracle homes from the scratchpad.'); ohome = NULL; # Find the correct ohome foreach res (oracle_homes) { testpath = res['path']; if (testpath >< tolower(path)) { ohome = testpath; break; } } if (empty_or_null(ohome)) exit(1, 'Failed to find the proper Oracle home in the scratchpad.'); patchesinstalled = query_scratchpad("SELECT patchid FROM oracle_patches WHERE ohome=?;", ohome); patched = FALSE; # Check if patch is in ohome if (!isnull(patchesinstalled)) { patched = FALSE; foreach item (patchesinstalled) { if (item['patchid'] == patch) patched = TRUE; } } if(!patched) fix = '\n Required patch : 31101341'; } if (fix != '') { if (!isnull(path)) report += '\n Path : ' + path; report += '\n Version : ' + version + '\n Revision : ' + revision + fix + '\n'; } } if (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); else audit(AUDIT_INST_VER_NOT_VULN, 'Oracle WebCenter Sites');

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4542.NASL
description	It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.
last seen	2020-06-01
modified	2020-06-02
plugin id	129597
published	2019-10-07
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129597
title	Debian DSA-4542-1 : jackson-databind - security update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4542. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(129597); script_version("1.3"); script_cvs_date("Date: 2019/12/23"); script_cve_id("CVE-2019-12384", "CVE-2019-14439", "CVE-2019-14540", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943"); script_xref(name:"DSA", value:"4542"); script_name(english:"Debian DSA-4542-1 : jackson-databind - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941530" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940498" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933393" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750" ); # https://security-tracker.debian.org/tracker/source-package/jackson-databind script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?61134ddf" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/jackson-databind" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/jackson-databind" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4542" ); script_set_attribute( attribute:"solution", value: "Upgrade the jackson-databind packages. For the oldstable distribution (stretch), these problems have been fixed in version 2.8.6-1+deb9u6. For the stable distribution (buster), these problems have been fixed in version 2.9.8-3+deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:jackson-databind"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/24"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"libjackson2-databind-java", reference:"2.9.8-3+deb10u1")) flag++; if (deb_check(release:"10.0", prefix:"libjackson2-databind-java-doc", reference:"2.9.8-3+deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"libjackson2-databind-java", reference:"2.8.6-1+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"libjackson2-databind-java-doc", reference:"2.8.6-1+deb9u6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CGI abuses
NASL id	ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2020.NASL
description	The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory. - initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. (CVE-2019-13990) - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-05-08
modified	2020-04-15
plugin id	135584
published	2020-04-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135584
title	Oracle Primavera Unifier (Apr 2020 CPU)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135584); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/06"); script_cve_id("CVE-2019-13990", "CVE-2019-16943", "CVE-2019-5427"); script_xref(name:"IAVA", value:"2020-A-0140"); script_name(english:"Oracle Primavera Unifier (Apr 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities"); script_set_attribute(attribute:"description", value: "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory. - initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description. (CVE-2019-13990) - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml"); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-16943"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_unifier"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_unifier.nbin"); script_require_keys("installed_sw/Oracle Primavera Unifier", "www/weblogic"); script_require_ports("Services/www", 8002); exit(0); } include('http.inc'); include('vcf.inc'); get_install_count(app_name:'Oracle Primavera Unifier', exit_if_zero:TRUE); port = get_http_port(default:8002); get_kb_item_or_exit('www/weblogic/' + port + '/installed'); app_info = vcf::get_app_info(app:'Oracle Primavera Unifier', port:port); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { 'min_version' : '16.1', 'fixed_version' : '16.2.16.1' }, { 'min_version' : '17.7', 'fixed_version' : '17.12.11.3' }, { 'min_version' : '18.8', 'fixed_version' : '18.8.16' }, { 'min_version' : '19.12', 'fixed_version' : '19.12.4' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Redhat

advisories

rhsa
id RHSA-2020:0159
rhsa
id RHSA-2020:0160
rhsa
id RHSA-2020:0161
rhsa
id RHSA-2020:0164
rhsa
id RHSA-2020:0445

rpms

eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el6eap
eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el6eap
eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el6eap
eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el6eap
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el6eap
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el6eap
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el6eap
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el6eap
eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el6eap
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el6eap
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el6eap
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el6eap
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el6eap
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el6eap
eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el6eap
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el6eap
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el6eap
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el6eap
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el6eap
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el6eap
eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el6eap
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el6eap
eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el6eap
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el6eap
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el6eap
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el6eap
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el6eap
eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el6eap
eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el6eap
eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el6eap
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el6eap
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el7eap
eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el7eap
eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el7eap
eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el7eap
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el7eap
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el7eap
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el7eap
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el7eap
eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el7eap
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el7eap
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el7eap
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el7eap
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el7eap
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el7eap
eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el7eap
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el7eap
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el7eap
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el7eap
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el7eap
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el7eap
eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el7eap
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el7eap
eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el7eap
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el7eap
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el7eap
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el7eap
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el7eap
eap7-wildfly-java-jdk11-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-java-jdk8-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el7eap
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el7eap
eap7-apache-cxf-0:3.2.11-1.redhat_00001.1.el8eap
eap7-apache-cxf-rt-0:3.2.11-1.redhat_00001.1.el8eap
eap7-apache-cxf-services-0:3.2.11-1.redhat_00001.1.el8eap
eap7-apache-cxf-tools-0:3.2.11-1.redhat_00001.1.el8eap
eap7-glassfish-jsf-0:2.3.5-6.SP3_redhat_00004.1.el8eap
eap7-hal-console-0:3.0.19-1.Final_redhat_00001.1.el8eap
eap7-hibernate-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-core-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-entitymanager-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-envers-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-java8-0:5.3.14-1.Final_redhat_00001.1.el8eap
eap7-hibernate-validator-0:6.0.18-1.Final_redhat_00001.1.el8eap
eap7-hibernate-validator-cdi-0:6.0.18-1.Final_redhat_00001.1.el8eap
eap7-jackson-annotations-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-core-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-databind-0:2.9.10.1-1.redhat_00001.1.el8eap
eap7-jackson-dataformats-binary-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-dataformats-text-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-datatype-jdk8-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-datatype-jsr310-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-jaxrs-base-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-jaxrs-json-provider-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jackson-module-jaxb-annotations-0:2.9.10-2.redhat_00003.1.el8eap
eap7-jackson-modules-base-0:2.9.10-2.redhat_00003.1.el8eap
eap7-jackson-modules-java8-0:2.9.10-1.redhat_00003.1.el8eap
eap7-jberet-0:1.3.5-1.Final_redhat_00001.1.el8eap
eap7-jberet-core-0:1.3.5-1.Final_redhat_00001.1.el8eap
eap7-jboss-ejb-client-0:4.0.27-1.Final_redhat_00001.1.el8eap
eap7-jboss-jsf-api_2.3_spec-0:2.3.5-3.SP2_redhat_00001.1.el8eap
eap7-jboss-server-migration-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-cli-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-core-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap6.4-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap6.4-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.1-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.1-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly10.1-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly11.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly11.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly12.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly12.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly13.0-server-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly14.0-server-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly8.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly8.2-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly9.0-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-server-migration-wildfly9.0-to-eap7.2-0:1.3.1-7.Final_redhat_00007.1.el8eap
eap7-jboss-xnio-base-0:3.7.6-3.SP2_redhat_00001.1.el8eap
eap7-netty-0:4.1.42-1.Final_redhat_00001.1.el8eap
eap7-netty-all-0:4.1.42-1.Final_redhat_00001.1.el8eap
eap7-picketlink-bindings-0:2.5.5-21.SP12_redhat_00010.1.el8eap
eap7-picketlink-wildfly8-0:2.5.5-21.SP12_redhat_00010.1.el8eap
eap7-undertow-0:2.0.28-2.SP1_redhat_00001.1.el8eap
eap7-undertow-jastow-0:2.0.8-1.Final_redhat_00001.1.el8eap
eap7-weld-core-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-core-impl-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-core-jsf-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-ejb-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-jta-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-probe-core-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-weld-web-0:3.0.6-3.Final_redhat_00003.1.el8eap
eap7-wildfly-0:7.2.6-5.GA_redhat_00001.1.el8eap
eap7-wildfly-http-client-common-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-http-ejb-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-http-naming-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-http-transaction-client-0:1.0.18-2.Final_redhat_00001.1.el8eap
eap7-wildfly-javadocs-0:7.2.6-5.GA_redhat_00001.1.el8eap
eap7-wildfly-modules-0:7.2.6-5.GA_redhat_00001.1.el8eap
eap7-wildfly-transaction-client-0:1.1.8-1.Final_redhat_00001.1.el8eap
apache-commons-collections-0:3.2.2-10.module+el8.1.0+3366+6dfb954c
apache-commons-lang-0:2.6-21.module+el8.1.0+3366+6dfb954c
bea-stax-api-0:1.2.0-16.module+el8.1.0+3366+6dfb954c
glassfish-fastinfoset-0:1.2.13-9.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-api-0:2.2.12-8.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-core-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-runtime-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
glassfish-jaxb-txw2-0:2.2.11-11.module+el8.1.0+3366+6dfb954c
jackson-annotations-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-core-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-databind-0:2.10.0-1.module+el8.2.0+5059+3eb3af25
jackson-jaxrs-json-provider-0:2.9.9-1.module+el8.1.0+3832+9784644d
jackson-jaxrs-providers-0:2.9.9-1.module+el8.1.0+3832+9784644d
jackson-module-jaxb-annotations-0:2.7.6-4.module+el8.1.0+3366+6dfb954c
jakarta-commons-httpclient-1:3.1-28.module+el8.1.0+3366+6dfb954c
javassist-0:3.18.1-8.module+el8.1.0+3366+6dfb954c
javassist-javadoc-0:3.18.1-8.module+el8.1.0+3366+6dfb954c
jss-0:4.6.2-4.module+el8.2.0+6123+b4678599
jss-debuginfo-0:4.6.2-4.module+el8.2.0+6123+b4678599
jss-debugsource-0:4.6.2-4.module+el8.2.0+6123+b4678599
jss-javadoc-0:4.6.2-4.module+el8.2.0+6123+b4678599
ldapjdk-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b
ldapjdk-javadoc-0:4.21.0-2.module+el8.2.0+4573+c3c38c7b
pki-base-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-base-java-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-ca-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-core-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-core-debugsource-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-kra-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-server-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-servlet-4.0-api-1:9.0.7-16.module+el8.1.0+3366+6dfb954c
pki-servlet-engine-1:9.0.7-16.module+el8.1.0+3366+6dfb954c
pki-symkey-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-symkey-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-tools-0:10.8.3-1.module+el8.2.0+5925+bad5981a
pki-tools-debuginfo-0:10.8.3-1.module+el8.2.0+5925+bad5981a
python-nss-debugsource-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python-nss-doc-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python3-nss-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python3-nss-debuginfo-0:1.0.1-10.module+el8.1.0+3366+6dfb954c
python3-pki-0:10.8.3-1.module+el8.2.0+5925+bad5981a
relaxngDatatype-0:2011.1-7.module+el8.1.0+3366+6dfb954c
resteasy-0:3.0.26-3.module+el8.1.0+3366+6dfb954c
slf4j-0:1.7.25-4.module+el8.1.0+3366+6dfb954c
slf4j-jdk14-0:1.7.25-4.module+el8.1.0+3366+6dfb954c
stax-ex-0:1.7.7-8.module+el8.1.0+3366+6dfb954c
tomcatjss-0:7.4.1-2.module+el8.2.0+4573+c3c38c7b
velocity-0:1.7-24.module+el8.1.0+3366+6dfb954c
xalan-j2-0:2.7.1-38.module+el8.1.0+3366+6dfb954c
xerces-j2-0:2.11.0-34.module+el8.1.0+3366+6dfb954c
xml-commons-apis-0:1.4.01-25.module+el8.1.0+3366+6dfb954c
xml-commons-resolver-0:1.2-26.module+el8.1.0+3366+6dfb954c
xmlstreambuffer-0:1.5.4-8.module+el8.1.0+3366+6dfb954c
xsom-0:0-19.20110809svn.module+el8.1.0+3366+6dfb954c

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References