Lucene search

RedhatCVE-2016-8657

HistoryJul 31, 2018 - 7:29 p.m.

CVE-2016-8657

2018-07-3119:29:00

CWE-264

redhat

web.nvd.nist.gov

eap

red hat enterprise linux

configuration files

permissions

nvd

cve-2016-8657

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

26.7%

JSON

It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted.

Affected configurations

Nvd

Node

redhatjboss_enterprise_application_platformMatch6.0.0

redhatjboss_enterprise_application_platformMatch6.4.0

AND

redhatenterprise_linuxMatch5

Node

redhatjboss_enterprise_application_platformMatch6.0.0

redhatjboss_enterprise_application_platformMatch6.4.0

AND

redhatenterprise_linuxMatch6.0

Node

redhatjboss_enterprise_application_platformMatch6.0.0

redhatjboss_enterprise_application_platformMatch6.4.0

AND

redhatenterprise_linuxMatch7.0

Node

redhatjboss_enterprise_application_platformMatch5.0.0

AND

redhatenterprise_linuxMatch5

redhatenterprise_linuxMatch6.0

VendorProductVersionCPE
redhatjboss_enterprise_application_platform6.0.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform6.4.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
redhatenterprise_linux5cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
redhatenterprise_linux6.0cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
redhatenterprise_linux7.0cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
redhatjboss_enterprise_application_platform5.0.0cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	jboss_enterprise_application_platform	6.0.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:::::::*
redhat	jboss_enterprise_application_platform	6.4.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:::::::*
redhat	enterprise_linux	5	cpe:2.3:o:redhat:enterprise_linux:5:::::::*
redhat	enterprise_linux	6.0	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
redhat	enterprise_linux	7.0	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
redhat	jboss_enterprise_application_platform	5.0.0	cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:::::::*

References

rhn.redhat.com/errata/RHSA-2017-0826.html

rhn.redhat.com/errata/RHSA-2017-0827.html

rhn.redhat.com/errata/RHSA-2017-0828.html

rhn.redhat.com/errata/RHSA-2017-0829.html

www.securityfocus.com/bid/96896

access.redhat.com/errata/RHSA-2018:1609

bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8657

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

High

EPSS

0.001

Percentile

26.7%

JSON

Related for CVE-2016-8657