Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2017:2638
HistorySep 05, 2017 - 3:21 p.m.

(RHSA-2017:2638) Important: jboss-ec2-eap security, bug fix, and enhancement update

2017-09-0515:21:39
access.redhat.com
142

0.874 High

EPSS

Percentile

98.7%

JSON

The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).

With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.17.

Security Fix(es):

  • It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

  • A vulnerability was discovered in the error page mechanism in Tomcatโ€™s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)

  • A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.

Related

redhat 14
nessus 43
redhatcve 3
veracode 4
centos 1
githubexploit 1
amazon 4
attackerkb 1
ibm 16
osv 12
f5 3
debiancve 3
archlinux 2
tomcat 4
debian 8
cvelist 4
fedora 11
openvas 31
myhack58 4
nvd 4
checkpoint_advisories 2
cve 4
mageia 1
atlassian 1
ubuntu 1
oraclelinux 1
symantec 2
seebug 2
prion 3
ubuntucve 3
github 3
suse 1
cloudlinux 1
huawei 1
redhat
redhat
(RHSA-2017:2633) Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update
2017-09-05 14:23:50
(RHSA-2017:2636) Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 7
2017-09-05 14:32:51
(RHSA-2017:2637) Important: Red Hat JBoss Enterprise Application Platform 6.4.17 update on RHEL 5
2017-09-05 14:33:23
nessus
nessus
RHEL 6 : jboss-ec2-eap (RHSA-2017:2638)
2017-09-08 00:00:00
RHEL 7 : JBoss EAP (RHSA-2017:2636)
2017-09-08 00:00:00
RHEL 5 : JBoss EAP (RHSA-2017:2637)
2017-09-08 00:00:00
redhatcve
redhatcve
CVE-2017-5645
2019-10-10 10:12:57
CVE-2019-17571
2020-04-05 23:06:12
CVE-2017-5664
2021-02-07 15:15:32
veracode
veracode
Remote Code Execution (RCE)
2017-04-18 01:36:45
Arbitrary Code Execution
2019-12-23 04:57:47
Security Constraint Bypass
2017-06-07 02:00:46
centos
centos
log4j security update
2017-08-31 18:57:53
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Log4J
2019-12-25 16:46:11
amazon
amazon
Important: log4j
2022-01-18 20:15:00
Medium: log4j
2022-01-18 21:37:00
Important: tomcat8
2017-07-06 17:25:00
attackerkb
attackerkb
CVE-2019-17571
2019-12-20 00:00:00
ibm
ibm
Security Bulletin: Apache-Log4j (Publicly disclosed vulnerability)
2021-12-18 08:39:03
Security Bulletin: Vulnerability in Apache Log4j may affect Cรบram Social Program Management (CVE-2019-17571)
2021-11-29 13:23:28
Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect Algo One - Core
2018-06-15 23:48:10
osv
osv
CVE-2019-17571
2019-12-20 17:15:11
apache-log4j1.2 - security update
2020-01-12 00:00:00
tomcat8 - security update
2017-06-22 00:00:00
f5
f5
K61529042 : Log4j vulnerability CVE-2019-17571
2020-04-08 00:00:00
K23173103 : log4j vulnerability CVE-2017-5645
2018-01-31 00:00:00
K01225001 : Apache Tomcat vulnerability CVE-2017-5664
2017-06-23 00:00:00
debiancve
debiancve
CVE-2019-17571
2019-12-20 17:15:11
CVE-2017-5664
2017-06-06 14:29:00
CVE-2017-5645
2017-04-17 21:59:00
archlinux
archlinux
[ASA-201706-7] tomcat8: access restriction bypass
2017-06-06 00:00:00
[ASA-201706-6] tomcat7: access restriction bypass
2017-06-06 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 8.0.44
2017-05-16 00:00:00
Fixed in Apache Tomcat 7.0.78
2017-05-16 00:00:00
Fixed in Apache Tomcat 8.5.15
2017-05-10 00:00:00
debian
debian
[SECURITY] [DSA 3891-1] tomcat8 security update
2017-06-22 08:05:13
[SECURITY] [DLA 996-1] tomcat7 security update
2017-06-20 21:34:44
[SECURITY] [DSA 4686-1] apache-log4j1.2 security update
2020-05-15 22:17:02
cvelist
cvelist
CVE-2017-5664
2017-06-06 14:00:00
CVE-2017-5645
2017-04-17 21:00:00
CVE-2019-17571
2019-12-20 16:01:21
fedora
fedora
[SECURITY] Fedora 24 Update: tomcat-8.0.44-1.fc24
2017-06-29 23:50:43
[SECURITY] Fedora 26 Update: log4j-2.7-4.fc26
2017-05-02 15:59:49
[SECURITY] Fedora 24 Update: log4j-2.5-3.fc24
2017-05-04 18:26:42
openvas
openvas
Debian: Security Advisory (DLA-996-1)
2018-01-28 00:00:00
Fedora Update for log4j12 FEDORA-2017-8348115acd
2017-06-13 00:00:00
RedHat Update for log4j RHSA-2017:2423-01
2017-08-08 00:00:00
myhack58
myhack58
Tomcat Security Constraint Bypass CVE-2017-5664 analysis-vulnerability warning-the black bar safety net
2017-07-27 00:00:00
Apache Tomcat security restrictions bypass Vulnerability, CVE-2017-5664-a vulnerability warning-the black bar safety net
2017-06-12 00:00:00
Apache logging component Log4j deserialization vulnerability affects all 2. x version-bug warning-the black bar safety net
2017-04-18 00:00:00
nvd
nvd
CVE-2017-5645
2017-04-17 21:59:00
CVE-2017-5664
2017-06-06 14:29:00
CVE-2019-17571
2019-12-20 17:15:11
checkpoint_advisories
checkpoint_advisories
Apache Log4j Remote Code Execution (CVE-2017-5645)
2022-01-02 00:00:00
Apache Log4j Remote Code Execution (CVE-2019-17571)
2020-03-01 00:00:00
cve
cve
CVE-2017-5645
2017-04-17 21:59:00
CVE-2019-17571
2019-12-20 17:15:11
CVE-2017-5664
2017-06-06 14:29:00
mageia
mageia
Updated tomcat packages fix security vulnerability
2017-06-30 00:40:57
atlassian
atlassian
Apache Log4j - Arbitrary Code Execution in confserver/confluence (master)
2020-03-02 03:58:39
ubuntu
ubuntu
Apache Log4j vulnerability
2020-09-15 00:00:00
oraclelinux
oraclelinux
log4j security update
2017-08-09 00:00:00
symantec
symantec
Apache Log4j CVE-2017-5645 Remote Code Execution Vulnerability
2017-04-17 00:00:00
Apache Log4j CVE-2019-17571 Deserialization Remote Code Execution Vulnerability
2019-12-18 00:00:00
seebug
seebug
Apache Log4j socket receiver deserialization vulnerability (CVE-2017-5645)
2017-04-18 00:00:00
Apache Struts2 S2-055(CVE-2017-7525)
2017-12-01 00:00:00
prion
prion
Design/Logic Flaw
2017-06-06 14:29:00
Deserialization of untrusted data
2019-12-20 17:15:00
Code injection
2017-04-17 21:59:00
ubuntucve
ubuntucve
CVE-2017-5664
2017-06-06 00:00:00
CVE-2017-5645
2017-04-17 00:00:00
CVE-2019-17571
2019-12-20 00:00:00
github
github
Improper Handling of Exceptional Conditions in Apache Tomcat
2022-05-13 01:46:15
Deserialization of Untrusted Data in Log4j
2020-01-06 18:43:38
Deserialization of Untrusted Data in Log4j
2020-01-06 18:43:49
suse
suse
Security update for log4j (important)
2020-01-14 00:00:00
cloudlinux
cloudlinux
Fixed CVE-2019-17571 in log4j
2022-06-21 20:23:31
huawei
huawei
Security Advisory - Remote Code Execution Vulnerability in Jackson JSON library of Apache Struts2
2018-02-28 00:00:00

0.874 High

EPSS

Percentile

98.7%

JSON
Related for RHSA-2017:2638
redhat14nessus43redhatcve3veracode4centos1githubexploit1amazon4attackerkb1ibm16osv12f53debiancve3archlinux2tomcat4debian8cvelist4fedora11openvas31myhack584nvd4checkpoint_advisories2cve4mageia1atlassian1ubuntu1oraclelinux1symantec2seebug2prion3ubuntucve3github3suse1cloudlinux1huawei1