SB2023080816 - Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2021-46877)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized JsonNode values. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Note, the vulnerability affects JDK serialization only.

2) Uncontrolled Recursion (CVE-ID: CVE-2023-1436)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

3) Resource exhaustion (CVE-ID: CVE-2023-3223)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources by servlets annotated with @MultipartConfig. A remote attacker can send a large multipart content to the server, consume all available memory resources and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2023:4507