Jboss Core Services Red Hat Jboss Core Services

Do you want an email whenever new security vulnerabilities are reported in Red Hat Jboss Core Services?

Recent Red Hat Jboss Core Services Security Advisories

Advisory Title Published
RHSA-2022:1389 (RHSA-2022:1389) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update April 20, 2022
RHSA-2022:1390 (RHSA-2022:1390) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP11 security update April 20, 2022
RHSA-2021:4614 (RHSA-2021:4614) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP10 security update November 10, 2021
RHSA-2021:4613 (RHSA-2021:4613) Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP10 security update November 10, 2021
RHSA-2021:3746 (RHSA-2021:3746) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9 security update October 7, 2021
RHSA-2021:3745 (RHSA-2021:3745) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP9 security update October 7, 2021
RHSA-2021:2472 (RHSA-2021:2472) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update June 17, 2021
RHSA-2021:2471 (RHSA-2021:2471) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update June 17, 2021
RHSA-2021:1200 (RHSA-2021:1200) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP7 security update April 14, 2021
RHSA-2021:1199 (RHSA-2021:1199) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP7 security update April 14, 2021

By the Year

In 2022 there have been 0 vulnerabilities in Red Hat Jboss Core Services . Last year Jboss Core Services had 7 security vulnerabilities published. Right now, Jboss Core Services is on track to have less security vulnerabilities in 2022 than it did last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 7 7.51
2020 0 0.00
2019 5 7.30
2018 1 7.50

It may take a day or so for new Jboss Core Services vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Red Hat Jboss Core Services Security Vulnerabilities

A flaw was found in libxml2

CVE-2021-3541 6.5 - Medium - July 09, 2021

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

XEE

There's a flaw in libxml2's xmllint in versions before 2.9.11

CVE-2021-3516 7.8 - High - June 01, 2021

There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

Dangling pointer

A flaw was found in OpenLDAP in versions before 2.4.56

CVE-2020-25710 7.5 - High - May 28, 2021

A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to force a failed assertion in csnNormalize23(). The highest threat from this vulnerability is to system availability.

assertion failure

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11

CVE-2021-3517 8.6 - High - May 19, 2021

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Memory Corruption

A flaw was found in OpenLDAP

CVE-2020-25709 7.5 - High - May 18, 2021

A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAPs slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.

assertion failure

There's a flaw in libxml2 in versions before 2.9.11

CVE-2021-3518 8.8 - High - May 18, 2021

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Dangling pointer

A vulnerability found in libxml2 in versions before 2.9.11 shows

CVE-2021-3537 5.9 - Medium - May 14, 2021

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

NULL Pointer Dereference

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service

CVE-2019-9517 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

Allocation of Resources Without Limits or Throttling

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service

CVE-2019-9518 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Allocation of Resources Without Limits or Throttling

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service

CVE-2019-9516 6.5 - Medium - August 13, 2019

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Allocation of Resources Without Limits or Throttling

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service

CVE-2019-9513 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation

CVE-2019-9511 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Allocation of Resources Without Limits or Throttling

The Apache Web Server (httpd) specific code

CVE-2018-11759 7.5 - High - October 31, 2018

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

Directory traversal

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications

CVE-2017-12613 7.1 - High - October 24, 2017

When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.

Out-of-bounds Read

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Red Hat Enterprise Linux Workstation or by Red Hat? Click the Watch button to subscribe.

Red Hat
Vendor

subscribe