SB2024101582 - Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 8.0

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2024-21634)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Information disclosure (CVE-ID: CVE-2024-7885)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to insecure sharing of resources where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2024:7441"
• https://access.redhat.com/errata/RHSA-2024:7441</a></p><p>
• https://access.redhat.com/errata/RHSA-2024:7442</p><p><br></p>