Red Hat Jboss Core Services
Recent Red Hat Jboss Core Services Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2024:1316 | (RHSA-2024:1316) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP3 security update | March 18, 2024 |
| RHSA-2024:1317 | (RHSA-2024:1317) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP3 security update | March 18, 2024 |
| RHSA-2023:7626 | (RHSA-2023:7626) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP2 security update | December 7, 2023 |
| RHSA-2023:7625 | (RHSA-2023:7625) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP2 security update | December 7, 2023 |
| RHSA-2023:6105 | (RHSA-2023:6105) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP1 security update | October 26, 2023 |
| RHSA-2023:6106 | (RHSA-2023:6106) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP1 security update | October 26, 2023 |
| RHSA-2023:4629 | (RHSA-2023:4629) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update | August 15, 2023 |
| RHSA-2023:4628 | (RHSA-2023:4628) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 security update | August 15, 2023 |
| RHSA-2023:3354 | (RHSA-2023:3354) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update | June 5, 2023 |
| RHSA-2023:3355 | (RHSA-2023:3355) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update | June 5, 2023 |
By the Year
In 2024 there have been 0 vulnerabilities in Red Hat Jboss Core Services . Last year Jboss Core Services had 1 security vulnerability published. Right now, Jboss Core Services is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.50 |
| 2022 | 0 | 0.00 |
| 2021 | 7 | 7.51 |
| 2020 | 0 | 0.00 |
| 2019 | 7 | 7.36 |
| 2018 | 2 | 7.00 |
It may take a day or so for new Jboss Core Services vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Jboss Core Services Security Vulnerabilities
The HTTP/2 protocol
CVE-2023-44487
7.5 - High
- October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Resource Exhaustion
A flaw was found in libxml2
CVE-2021-3541
6.5 - Medium
- July 09, 2021
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
XEE
There's a flaw in libxml2's xmllint in versions before 2.9.11
CVE-2021-3516
7.8 - High
- June 01, 2021
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.
Dangling pointer
A flaw was found in OpenLDAP in versions before 2.4.56
CVE-2020-25710
7.5 - High
- May 28, 2021
A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.
assertion failure
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11
CVE-2021-3517
8.6 - High
- May 19, 2021
There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
Memory Corruption
A flaw was found in OpenLDAP
CVE-2020-25709
7.5 - High
- May 18, 2021
A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAPs slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.
assertion failure
There's a flaw in libxml2 in versions before 2.9.11
CVE-2021-3518
8.8 - High
- May 18, 2021
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Dangling pointer
A vulnerability found in libxml2 in versions before 2.9.11 shows
CVE-2021-3537
5.9 - Medium
- May 14, 2021
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.
NULL Pointer Dereference
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service
CVE-2019-9517
7.5 - High
- August 13, 2019
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Allocation of Resources Without Limits or Throttling
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service
CVE-2019-9514
7.5 - High
- August 13, 2019
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Allocation of Resources Without Limits or Throttling
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service
CVE-2019-9515
7.5 - High
- August 13, 2019
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Allocation of Resources Without Limits or Throttling
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation
CVE-2019-9511
7.5 - High
- August 13, 2019
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Allocation of Resources Without Limits or Throttling
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service
CVE-2019-9513
7.5 - High
- August 13, 2019
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service
CVE-2019-9516
6.5 - Medium
- August 13, 2019
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
Allocation of Resources Without Limits or Throttling
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
CVE-2019-9518
7.5 - High
- August 13, 2019
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
Allocation of Resources Without Limits or Throttling
The Apache Web Server (httpd) specific code
CVE-2018-11759
7.5 - High
- October 31, 2018
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
Directory traversal
libxml2, as used in Red Hat JBoss Core Services and when in recovery mode
CVE-2016-9596
6.5 - Medium
- August 16, 2018
libxml2, as used in Red Hat JBoss Core Services and when in recovery mode, allows context-dependent attackers to cause a denial of service (stack consumption) via a crafted XML document. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-3627.
Resource Exhaustion
When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications
CVE-2017-12613
7.1 - High
- October 24, 2017
When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.
Out-of-bounds Read
The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode
CVE-2016-3627
7.5 - High
- May 17, 2016
The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
Stack Exhaustion
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Oracle Vm Server or by Red Hat? Click the Watch button to subscribe.
