Original Issue Date: April 22, 2022
Severity Rating: HIGH
Software Affected
Red Hat JBoss Core Services Text-Only Advisories x86_64
Red Hat JBoss Core Services 1 for RHEL 8 x86_64
Red Hat JBoss Core Services 1 for RHEL 7 x86_64
Overview
Multiple vulnerabilities have been reported in Red Hat JBoss Core Services which could be exploited by a remote attacker to execute arbitrary code, gain access to sensitive information, bypass security restrictions or perform Denial of Service (DoS) condition on the targeted system.
Description
These Vulnerabilities exists in Red Hat JBoss Core Services due to Exponential entity expansion attack bypasses all existing protection mechanisms, Use-after-free in xml Encode EntitiesInternal() in entities.c ,Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c,Use-after-free in xmlXIncludeDoProcess() in xinclude.c, NULL pointer dereference when
post-validating mixed content parsed in recovery mode, Use-after-free of ID and IDREF attributes, Infinite loop in
BN_mod_sqrt() reachable when parsing certificates and Errors encountered during the discarding of request body lead to HTTP
request smuggling. A remote attacker could exploit this vulnerability by sending specially crafted request and execute arbitrary
code on the target system.
Successful exploitation of these vulnerabilities could allow the attacker to gain access to sensitive information or perform a
denial of service (DoS) attack on the targeted system.
Solution
Apply appropriate fix/patches as mentioned in the following link