Jboss Core Services Red Hat Jboss Core Services

Do you want an email whenever new security vulnerabilities are reported in Red Hat Jboss Core Services?

Recent Red Hat Jboss Core Services Security Advisories

Advisory Title Published
RHSA-2021:2472 (RHSA-2021:2472) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update June 17, 2021
RHSA-2021:2471 (RHSA-2021:2471) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update June 17, 2021
RHSA-2021:1200 (RHSA-2021:1200) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP7 security update April 14, 2021
RHSA-2021:1199 (RHSA-2021:1199) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP7 security update April 14, 2021

By the Year

In 2021 there have been 6 vulnerabilities in Red Hat Jboss Core Services with an average score of 7.7 out of ten. Jboss Core Services did not have any published security vulnerabilities last year. That is, 6 more vulnerabilities have already been reported in 2021 as compared to last year.

Year Vulnerabilities Average Score
2021 6 7.68
2020 0 0.00
2019 2 7.50
2018 1 7.50

It may take a day or so for new Jboss Core Services vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Jboss Core Services Security Vulnerabilities

There's a flaw in libxml2's xmllint in versions before 2.9.11

CVE-2021-3516 7.8 - High - June 01, 2021

There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

Dangling pointer

A flaw was found in OpenLDAP in versions before 2.4.56

CVE-2020-25710 7.5 - High - May 28, 2021

A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.

assertion failure

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11

CVE-2021-3517 8.6 - High - May 19, 2021

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Memory Corruption

A flaw was found in OpenLDAP

CVE-2020-25709 7.5 - High - May 18, 2021

A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAPs slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.

assertion failure

There's a flaw in libxml2 in versions before 2.9.11

CVE-2021-3518 8.8 - High - May 18, 2021

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Dangling pointer

A vulnerability found in libxml2 in versions before 2.9.11 shows

CVE-2021-3537 5.9 - Medium - May 14, 2021

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

NULL Pointer Dereference

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service

CVE-2019-9517 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

Allocation of Resources Without Limits or Throttling

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service

CVE-2019-9518 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Allocation of Resources Without Limits or Throttling

The Apache Web Server (httpd) specific code

CVE-2018-11759 7.5 - High - October 31, 2018

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

Directory traversal

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe