SB2016071807 - Red Hat update for jboss-ec2-eap 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016071807

SB2016071807 - Red Hat update for jboss-ec2-eap

Published: July 18, 2016

Security Bulletin ID SB2016071807
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Limited directory traversal (CVE-ID: CVE-2015-5174)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to incorrect validation of paths in getResource(), getResourceAsStream() and getResourcePaths() methods within ServletContext. A local attacker can bypass security manager restrictions using directory traversal sequences and view directory listing outside the $CATALINA_BASE/webapps folder.

Successful exploitation of the vulnerability may allow a local attacker to obtain names of files and folder on vulnerable system.


2) Authentication bypass (CVE-ID: CVE-2016-2141)

The vulnerability allows a remote attacker to bypass security controls on the target system.

The vulnerability exists due to improper authentication in JGroups of new nodes joining the cluster. A remote attacker can obtain potentially sensitive information by bypassing security controls on the target system, sending and receiving messages within the cluster.

Successful exploitation of this vulnerability may result in disclosure of system information,

Remediation

Install update from vendor's website.

References