SB2024082315 - Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 7

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2024-5971)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to response writes hand when using Java 17 TLSv1.3 NewSessionTicket. A remote attacker can perform a denial of service (DoS) attack.

2) Resource exhaustion (CVE-ID: CVE-2024-3653)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect handling of requests within the LearningPushHandler. A remote attacker can send specially crafted requests to the web server and consume available memory, leading to a denial of service.

Successful exploitation of the vulnerability requires that the learning-push handler is enabled (disabled by default).

3) Observable discrepancy (CVE-ID: CVE-2024-30171)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a possible timing based leakage in RSA based handshakes. A remote attacker can gain access to sensitive information.

4) Resource exhaustion (CVE-ID: CVE-2024-29857)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to library does not properly control consumption of internal resources when importing an EC certificate with specially crafted F2m parameters. A remote attacker can pass a specially crafted certificate to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.

5) Information disclosure (CVE-ID: CVE-2024-29025)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in HttpPostRequestDecoder. A remote attacker can gain unauthorized access to sensitive information on the system.

6) Infinite loop (CVE-ID: CVE-2024-30172)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the Ed25519 verification code. A remote attacker can pass a specially signature and public key to the application, consume all available system resources and cause denial of service conditions.

7) Resource exhaustion (CVE-ID: CVE-2024-27316)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2024:5143