Multiple vulnerabilities in JBoss Enterprise Application Platform
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2022-1278 CVE-2022-3509 CVE-2022-3510 |
| CWE-ID | CWE-16 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
JBoss Enterprise Application Platform Server applications / Application servers |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Configuration
EUVDB-ID: #VU69823
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1278
CWE-ID:
CWE-16 - Configuration
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to unconfigured MP OpenTracing in the default configuration. A local user can obtain sensitive information from the log files.
Install updates from vendor's website.
JBoss Enterprise Application Platform: 7.4.0 - 7.4.9
CPE2.3- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.9:*:*:*:*:*:*:
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.8:*:*:*:*:*:*:
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.7:*:*:*:*:*:*:
http://access.redhat.com/errata/RHSA-2023:1855
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU69670
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3509
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
JBoss Enterprise Application Platform: 7.4.0 - 7.4.9
CPE2.3- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.9:*:*:*:*:*:*:
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.8:*:*:*:*:*:*:
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.7:*:*:*:*:*:*:
http://access.redhat.com/errata/RHSA-2023:1855
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU71253
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3510
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Policy (Google Protobuf-Java) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
JBoss Enterprise Application Platform: 7.4.0 - 7.4.9
CPE2.3- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.9:*:*:*:*:*:*:
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.8:*:*:*:*:*:*:
- cpe:2.3:a:red_hat:jboss_enterprise_application_platform:7.4.7:*:*:*:*:*:*:
http://access.redhat.com/errata/RHSA-2023:1855
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
