Chapter 6. Fixed CVEs
JBoss EAP 7.2 includes fixes for the following security-related issues:
-
CVE-2017-7503:
xml frameworks
: JBoss EAP 7.0.5 implementation ofjavax.xml.transform.TransformerFactory
is vulnerable to XXE -
CVE-2018-10237:
guava
: Unbounded memory allocation inAtomicDoubleArray
andCompoundOrdering
classes allow remote attackers to cause a denial of service -
CVE-2018-1067:
undertow
: HTTP header injection using CRLF with UTF-8 encoding -
CVE-2018-10862:
wildfly-core
: Path traversal can allow the extraction of.war
archives to write arbitrary files -
CVE-2017-12174:
artemis/hornetq
: Memory exhaustion via UDP and JGroups discovery -
CVE-2017-12629:
Solr
: Code execution via entity expansion -
CVE-2017-15089:
infinispan
: Unsafe deserialization of malicious object injected into data cache -
CVE-2017-12196:
undertow
: Client can use bogus uri in Digest authentication -
CVE-2018-8088:
slf4j
: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution -
CVE-2018-1047:
undertow
: Path traversal in ServletResourceManager class -
CVE-2018-8039:
apache-cxf
: TLS hostname verification does not work correctly withcom.sun.net.ssl.*