漏洞类别:RedHat
漏洞等级: 
漏洞信息
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal. (CVE-2017-2595)
It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
Affected Products
JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6.4 for RHEL 6 ppc64
JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6 for RHEL 6 ppc64
JBoss Enterprise Application Platform 6 for RHEL 6 i386
漏洞危害
On successful exploitation it allows arbitrary file read to authenticated user via path traversal. (CVE-2017-2595), a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018), a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
解决方案
Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.
Refer to Red Hat security advisory RHSA-2017:1749 to address this issue and obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论