Multiple vulnerabilities in Red Hat Process Automation Manager
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2019-0231 CVE-2019-7611 CVE-2019-14540 CVE-2019-14892 CVE-2019-14893 CVE-2019-16335 CVE-2019-16942 CVE-2019-16943 CVE-2019-17267 CVE-2019-17531 |
| CWE-ID | CWE-319 CWE-284 CWE-200 CWE-502 CWE-20 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
Red Hat Process Automation Manager (formerly JBoss BPM Suite) Web applications / Remote management & hosting panels |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Cleartext transmission of sensitive information
EUVDB-ID: #VU26209
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-0231
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to incorrect handling of close_notify SSL/TLS messages that results in software not closing the connection and retaining the socket opened, which allows a client to receive clear text messages afterward. A remote attacker can intercept traffic between client and server application and gain access to potentially sensitive information.
Install updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU18086
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-7611
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used, which means that elasticsearch.yml file has xpack.security.dls_fls.enabled set to false. A remote authenticated attacker can make API calls to the _aliases, _shrink, or _split endpoints and make existing data available under a new index/alias name.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU21135
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14540
CWE-ID:
CWE-200 - Information exposure
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariConfig". A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Deserialization of Untrusted Data
EUVDB-ID: #VU25833
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-14892
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data of a malicious object using commons-configuration 1 and 2 JNDI classes. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Deserialization of Untrusted Data
EUVDB-ID: #VU25834
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-14893
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as "enableDefaultTyping()" or when @JsonTypeInfo is using "Id.CLASS" or "Id.MINIMAL_CLASS" or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU21136
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-16335
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a polymorphic typing issue in the "com.zaxxer.hikari.HikariDataSource". A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU21580
Risk: Medium
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-16942
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests within the org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSourc components. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.
Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU21593
Risk: Medium
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-16943
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to a Polymorphic Typing issue when processing JSON requests within the com.p6spy.engine.spy.P6DataSource component. A remote attacker can send specially crafted JSON data to an RMI service endpoint and execute arbitrary code on he system.
Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to send requests to.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU21594
Risk: Medium
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-17267
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to a Polymorphic Typing issue within the net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup component. A remote attacker can execute arbitrary code on he system.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU21750
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-17531
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected software.
The vulnerability exists due to a Polymorphic Typing in jackson-databind when processing JSON requests. A remote attacker can send specially crafted JSON data to JNDI service and execute a malicious payload.
Successful exploitation of the vulnerability requires that Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath.
MitigationInstall updates from vendor's website.
Red Hat Process Automation Manager (formerly JBoss BPM Suite): 7.0.0 - 7.6.0
CPE2.3- cpe:2.3:a:red_hat:jboss_bpm_suite:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:red_hat:jboss_bpm_suite:7.2.0:*:*:*:*:*:*:*
https://access.redhat.com/errata/RHSA-2020:0895
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
