Chapter 6. Fixed CVEs

JBoss EAP 7.2 includes fixes for the following security-related issues:

CVE-2017-7503: xml frameworks: JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE
CVE-2018-10237: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
CVE-2018-1067: undertow: HTTP header injection using CRLF with UTF-8 encoding
CVE-2018-10862: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files
CVE-2017-12174: artemis/hornetq: Memory exhaustion via UDP and JGroups discovery
CVE-2017-12629: Solr: Code execution via entity expansion
CVE-2017-15089: infinispan: Unsafe deserialization of malicious object injected into data cache
CVE-2017-12196: undertow: Client can use bogus uri in Digest authentication
CVE-2018-8088: slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
CVE-2018-1047: undertow: Path traversal in ServletResourceManager class
CVE-2018-8039: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*