漏洞类别:RedHat
漏洞等级: 
漏洞信息
The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).
It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal. (CVE-2017-2595)
It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
Affected Products
JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
JBoss Enterprise Application Platform 6 for RHEL 6 i386
漏洞危害
On successful exploitation a malicious web application could bypass a configured SecurityManager
解决方案
Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.
Refer to Red Hat security advisory RHSA-2017:1552 to address this issue and obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论