Severity Rating: High
Software Affected
· Red Hat JBoss Core Services 1 for RHEL 7 x86_64
· Red Hat JBoss Core Services 1 for RHEL 6 x86_64
· Red Hat JBoss Core Services 1 for RHEL 6 i386
· Red Hat JBoss Core Services Text-Only Advisories x86_64
Overview
Multiple vulnerabilities have been reported in Red Hat JBoss which could be
exploited by an attacker to cause denial of service conditions or gain
access to sensitive information on a targeted system.
Description
1. Use-After-Free Vulnerability (CVE-2019-0196)
This vulnerability exists in the mod_http2 module of Apache HTTP server due
to a use-after-free error on string comparison. A remote attacker could
exploit this vulnerability by sending a specially crafted request.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
2. Memory Corruption Vulnerability (CVE-2019-0197)
This vulnerability exists in the mod_http2 module of Apache HTTP server due
to an error when HTTP/2 or H2Upgrade was enabled for http/https host. A
remote attacker could exploit this vulnerability by sending a specially
crafted request.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
3. Denial of Service Vulnerability (CVE-2018-20843)
This vulnerability exists in libexpat in Expat due to improper restriction
of XML parser. An attacker could exploit this vulnerability by sending
crafted XML input which included XML names containing a large number of
colons resulting in excessive consumption of RAM and CPU
resources.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
4. Buffer Over-Read Vulnerability (CVE-2019-15903)
This vulnerability exists in libexpat in Expat due to improper restriction
of XML parser. An attacker could exploit this vulnerability by sending
crafted XML input leading to earlier processing from DTD parsing to
document parsing. This could lead to crashing of the target system.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
5. Denial of Service Vulnerability (CVE-2019-19956)
This vulnerability exists in xmlParseBalancedChunkMemoryRecover in parser.c
in libxml2 due to a memory leak error related to newDoc->oldNs.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
6. Denial of Service Vulnerability (CVE-2019- 20388)
This vulnerability exists in xmlSchemaPreRun in xmlschemas.c in libxml2 due
to a memory leak error.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
7. Denial of Service Vulnerability (CVE-2020-7595)
This vulnerability exists in xmlStringLenDecodeEntities in parser.c in
libxml2 due to incorrect handling of XML files. This vulnerability could
lead to infinite loop in a certain end-of-file situation.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
8. Information Disclosure Vulnerability (CVE-2020-1934)
This vulnerability exists in mod_proxy_ftp module of Apache HTTP server due
to the use of uninitialized memory variable while proxying to a malicious
FTP server.
Successful exploitation of this vulnerability could allow the attacker to
gain access to sensitive information.
9. Denial of Service Vulnerability (CVE-2020-11080)
This vulnerability exists in nghttp2 due to improper neutralization of
input. An attacker could exploit this vulnerability by repeatedly
constructing a SETTINGS frame with a length of 14,400 bytes resulting in
excessive usage of RAM.
Successful exploitation of this vulnerability could allow the attacker to
cause denial of service conditions.
Solution
Apply appropriate updates as mentioned in the vendor advisory
Vendor Information
Red Hat JBoss
References
Red Hat
CVE Name
CVE-2019-0196
CVE-2019-0197
CVE-2019-19956
CVE-2019-20388
CVE-2020-7595
CVE-2018-20843
CVE-2019-15903
CVE-2020-1934
CVE-2020-11080
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.