Headline
RHSA-2022:7272: Red Hat Security Advisory: Red Hat JBoss Web Server 5.7.0 release and security update
An update is now available for Red Hat JBoss Web Server 5.7 on Red Hat Enterprise Linux versions 7, 8, and 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-23181: tomcat: local privilege escalation vulnerability
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-11-02
Updated:
2022-11-02
RHSA-2022:7272 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: Red Hat JBoss Web Server 5.7.0 release and security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat JBoss Web Server 5.7 on Red Hat Enterprise Linux versions 7, 8, and 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.7.0 serves as a replacement for Red Hat JBoss Web Server 5.6.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Security Fix(es):
- tomcat: local privilege escalation vulnerability (CVE-2022-23181)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
- JBoss Enterprise Web Server 5 for RHEL 9 x86_64
- JBoss Enterprise Web Server 5 for RHEL 8 x86_64
- JBoss Enterprise Web Server 5 for RHEL 7 x86_64
Fixes
- BZ - 2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability
JBoss Enterprise Web Server 5 for RHEL 9
SRPM
jws5-1-8.el9jws.src.rpm
SHA-256: 5923f60f98e088cc4ca070710b5bddf97dcc4808a108a2b012f6133a1dcd70aa
jws5-ecj-4.20.0-1.redhat_00002.1.el9jws.src.rpm
SHA-256: 1a251e9e09326d0afae8d55023e686f39e4eeeca9c1f111d4b50533c80c17a6d
jws5-javapackages-tools-3.4.1-5.15.11.el9jws.src.rpm
SHA-256: c33dccda4c4e6ec2a8ead21d9a764a1acf31cf69ad63cd905e33ed94696d9502
jws5-jboss-logging-3.4.1-1.Final_redhat_00001.1.el9jws.src.rpm
SHA-256: e916be9c96d37750a381789ec5d84e4bb249f8ae8d35c39dc234bb719b0b00a5
jws5-mod_cluster-1.4.3-2.Final_redhat_00002.1.el9jws.src.rpm
SHA-256: 42a9a2b6075206421e365f730e36fcc7dfd7f3246cb68878a8fb23d9ce263ead
jws5-tomcat-9.0.62-9.redhat_00005.1.el9jws.src.rpm
SHA-256: 6d2600a2298a8028fce39211e6b8fd2c4dc484dc53e9b0d7f6cb830c6c5807ae
jws5-tomcat-native-1.2.31-10.redhat_10.el9jws.src.rpm
SHA-256: 585a4b2bd96a74c20f7eb1f56166029522bd66639604421f41374333ad92aeee
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el9jws.src.rpm
SHA-256: aa95616012178f32e63b964c5143c7e765e42967f835f3b493d92b99de3c8cbd
x86_64
jws5-1-8.el9jws.x86_64.rpm
SHA-256: 32c7a77d4d2366ffa834d693cdd901efbcc4a594a18d94405a1c656736e6757c
jws5-ecj-4.20.0-1.redhat_00002.1.el9jws.noarch.rpm
SHA-256: 2a743c402fc16e097555890666260c24ac5274ef0d882f50889120170dfcfb02
jws5-javapackages-tools-3.4.1-5.15.11.el9jws.noarch.rpm
SHA-256: 96eb9d60c5052e089cd719770af31e1bf6c92c8eddfa814180f76d66561b5e8a
jws5-jboss-logging-3.4.1-1.Final_redhat_00001.1.el9jws.noarch.rpm
SHA-256: cc5eb63181a86d70f65c1ff80d534d76d304de60dc4c11ba25f54c0aa9da9340
jws5-mod_cluster-1.4.3-2.Final_redhat_00002.1.el9jws.noarch.rpm
SHA-256: d2a652d472b01c0bd7d3c584ff7cbc1de0677f08b8bbe60efaedd410816f7ffa
jws5-mod_cluster-tomcat-1.4.3-2.Final_redhat_00002.1.el9jws.noarch.rpm
SHA-256: 517238cce18ec3ccdc01d83e4c4e6ef275b8a0a91febbe53bcac12392241a821
jws5-python-javapackages-3.4.1-5.15.11.el9jws.noarch.rpm
SHA-256: 534a76cff2a6fcbd27a2af098b8d939ffddd9a432de5ea000f1455223bc479d9
jws5-runtime-1-8.el9jws.x86_64.rpm
SHA-256: 407029ecff0ac8149265b631c674a4ee4dbb6e4b21dcdde643f3363099e3f103
jws5-tomcat-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 88dfeca25ae8ee79424f7af6db7a0ab30aba63c6d1cd59213ab3b2b6cd60b0d7
jws5-tomcat-admin-webapps-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 25b51afbf1901a5d51812cbe85492ac9be24d2c76919f9838c04e488091d070c
jws5-tomcat-docs-webapp-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 18c960e78aa4fedb79c47138605ef949ee558fb80770ba25d1a227701573d325
jws5-tomcat-el-3.0-api-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 3720128191bff3d0942634bf87e186973ce2c333cae9c00ee10f83f52c4ac3dc
jws5-tomcat-javadoc-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: cd3e141a1828ec3cd042d425048d8655b1a6f497059ea191f51dced1ce1d6bb1
jws5-tomcat-jsp-2.3-api-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 855a78d2a42f32d799f2ae560c1d499027ae207b2a7aebfe2d84f8ac8392397d
jws5-tomcat-lib-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 3ca50f6a26eeb40d71db97faef3c5f22a462f39e7611e23aaa20a5f946e273ba
jws5-tomcat-native-1.2.31-10.redhat_10.el9jws.x86_64.rpm
SHA-256: 61ac01e847d986d9538231102453a4a7798c0860f36eb9fc4b68e023659d4da4
jws5-tomcat-native-debuginfo-1.2.31-10.redhat_10.el9jws.x86_64.rpm
SHA-256: b84ac68ae5d054a429c3adc3d9143184bed7e8c27f34792d0a4d642e8035119b
jws5-tomcat-selinux-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 5d581026ed8aec21604d1deb6e43788e93e18753229f54fb9a8009c6f315c7bb
jws5-tomcat-servlet-4.0-api-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 9587888eafa85074ce404df8cc4614551984848d71536626fde6fdc9e5cb177f
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el9jws.noarch.rpm
SHA-256: d7af67c21dc5c1abcf0aa0ebe6e573bf854aa7ed7b71104679d4c96d16a37405
jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el9jws.noarch.rpm
SHA-256: f3df87b41d8ceab5ae41638d26f6ba7e64a19737642145b3015c16c3a3f16f3b
jws5-tomcat-webapps-9.0.62-9.redhat_00005.1.el9jws.noarch.rpm
SHA-256: 4af080a9b11c58e89dbb6f92c337b690d917a7947b73e5992758038d5ad1facf
JBoss Enterprise Web Server 5 for RHEL 8
SRPM
jws5-ecj-4.20.0-1.redhat_00002.1.el8jws.src.rpm
SHA-256: e90c040907a55ea14d8d95b4bb0da2e58180287b37281ec56efab57ca55ef16c
jws5-tomcat-9.0.62-9.redhat_00005.1.el8jws.src.rpm
SHA-256: a9e75f91ee1c258a9be90c60ff75b1e8e5491fc51fd352a1c6bff77f6b376eec
jws5-tomcat-native-1.2.31-10.redhat_10.el8jws.src.rpm
SHA-256: 706a1aa3b5fb417fb4d9e10c800e4b5217ce657af3fd2c7448d8b0d34c5468f2
x86_64
jws5-ecj-4.20.0-1.redhat_00002.1.el8jws.noarch.rpm
SHA-256: d30d7135fd12a1fd0f2f1e4b001a30ae0c1f6b8cfc6cc35454d287448a45dec6
jws5-tomcat-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: 6eadf98565c5425c3cb3052b2fefa5ce021ff3a2e3430ec68c084495f84ec4ba
jws5-tomcat-admin-webapps-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: cd16bf124d1d5c7d7f4fd6968800823e5b10d182a929a0ba84217bb7075ffa41
jws5-tomcat-docs-webapp-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: 0065864292dbcca2953053064eace3d9b4e8d0bc081896af7335186ebbf80eaa
jws5-tomcat-el-3.0-api-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: d96e14d039f36e44d737cce1a80cf9aafca5a8d23adc4670dd79fcd098391862
jws5-tomcat-javadoc-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: 384302e1d47c73a727255f39727165b8e73a014f5f59c5e3772c1b551f3a0808
jws5-tomcat-jsp-2.3-api-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: 72cd08b59e9d6efd35b53ac6e4f12d0571d6d3648bddc229b825e3754522d2c1
jws5-tomcat-lib-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: aacc0feb845944291a7fef1adfbfb72fbfad4538af57f4d7b365be41ee45365b
jws5-tomcat-native-1.2.31-10.redhat_10.el8jws.x86_64.rpm
SHA-256: 704d1b4885c82186e72f4a86c12c72718c7a591db84a314a600583a638d47a6b
jws5-tomcat-native-debuginfo-1.2.31-10.redhat_10.el8jws.x86_64.rpm
SHA-256: 79e05d068c025a2fdcd47315b51659205a8db9fe11867d5b2337ce25348ff67f
jws5-tomcat-selinux-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: 9d00b98a364bdaf1643ae64d5249a9f91afff9b6d4f95fac8a8ef38d979548dc
jws5-tomcat-servlet-4.0-api-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: e251ea83092f9963fa1ea987828fc0f439718fd59853caf1b2dfff1071c18162
jws5-tomcat-webapps-9.0.62-9.redhat_00005.1.el8jws.noarch.rpm
SHA-256: 3b1455f6df96e36f7193be77042fbbef6c2d052bad5f712e8fe857cfc2d2fbc3
JBoss Enterprise Web Server 5 for RHEL 7
SRPM
jws5-ecj-4.20.0-1.redhat_00002.1.el7jws.src.rpm
SHA-256: c03f19d22d54a9678af3a027b03ed6bdd1b02e89478ff50186a89f486b723d0b
jws5-tomcat-9.0.62-9.redhat_00005.1.el7jws.src.rpm
SHA-256: 25f0c462c4b508082f863261da41ec5aa4336564bba29961bad1aa3093da9ba2
jws5-tomcat-native-1.2.31-10.redhat_10.el7jws.src.rpm
SHA-256: 73f5b08c5b712755c1be1b02ee53d344388a980ffe0a971fcaeeb48be3479221
x86_64
jws5-ecj-4.20.0-1.redhat_00002.1.el7jws.noarch.rpm
SHA-256: 86c53ec0607647143aa4c0f39a65b58bb0032c52662998e495473fc6991c21c1
jws5-tomcat-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: e4b9a9307190c5e9eb4289f038e52f4fc3aac71d68350f239f1b5cfc93e312ba
jws5-tomcat-admin-webapps-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: 5614da2dafacf19848a47dee2421996c43acf2cd0fdf231f008a05caa4572f6d
jws5-tomcat-docs-webapp-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: 8631a1b60c36b923b9490d8a99629e6d52b504f3c27e0a3857413d99ba15d477
jws5-tomcat-el-3.0-api-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: 1ed21a7f53098968e5dbe8eef2f8d72720d6616ccb82d87a3336d89b29243871
jws5-tomcat-java-jdk11-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: a2863a7c0fc1311a479433ac305cd017b41b1ad4e40a0bc95e86d79106071d8f
jws5-tomcat-java-jdk8-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: 44440af6ab8f6db68e38418138be613ef051c644983f763105c4405c646d045f
jws5-tomcat-javadoc-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: 6f5bc9d4e1eebb274063ccecebbb77899636f8d14363b72a39dd42eb1b7a32f3
jws5-tomcat-jsp-2.3-api-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: c29098878a177af1c896387622a412d56fefe856d9cd4ac41b9ea087d6a6e4ad
jws5-tomcat-lib-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: bfb3c705bf32570d444f44ac82dccf8c859189828269279b540dcb50e752d310
jws5-tomcat-native-1.2.31-10.redhat_10.el7jws.x86_64.rpm
SHA-256: 578bb56bd522e34ed57c42be5b7c8e3afe09079327875ccb41ab332e01fc3c13
jws5-tomcat-native-debuginfo-1.2.31-10.redhat_10.el7jws.x86_64.rpm
SHA-256: 18ceea808c1a672ad60538e97ec0c688d324087135238af5f7d7baa4150440af
jws5-tomcat-selinux-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: bd11300d95885ce73aa995f4a9cd59867482253cb0b22fcd130430c69e277992
jws5-tomcat-servlet-4.0-api-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: 70f84620c4e2a2c0752f25be9477e0b6259ccd8eaee73bead509223b29902411
jws5-tomcat-webapps-9.0.62-9.redhat_00005.1.el7jws.noarch.rpm
SHA-256: da593886eb04cf0e686c2f58a0b4bb1d596229c493d1ba70d23d916088a54d2f
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6943-1 - It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected tomcat8 for Ubuntu 18.04 LTS It was discovered that Tomcat incorrectly handled certain HTTP/2 connection requests. A remote attacker could use this issue to obtain wrong responses possibly containing sensitive information. This issue only affected tomcat8 for Ubuntu 18.04 LTS
Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-23181: The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is ...
Red Hat Security Advisory 2022-7272-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.0 serves as a replacement for Red Hat JBoss Web Server 5.6.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Issues addressed include a privilege escalation vulnerability.
Red Hat Security Advisory 2022-7273-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.0 serves as a replacement for Red Hat JBoss Web Server 5.6.1. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Issues addressed include denial of service and privilege escalation vulnerabilities.
Debian Linux Security Advisory 5265-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Red Hat Security Advisory 2022-5532-01 - This release of Red Hat Fuse 7.11.0 serves as a replacement for Red Hat Fuse 7.10 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include HTTP request smuggling, bypass, code execution, denial of service, deserialization, information leakage, memory leak, privilege escalation, and traversal vulnerabilities.
Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
A minor version update (from 7.10 to 7.11) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7020: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure * CVE-2020-9484: tomcat: deserialization flaw in session persistence storage leading to RCE * CVE-2020-15250: ju...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.