Bug 13957

Summary: [CVE 21] wildfly 10.1.0 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: Highest CC: e.kosachev, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2018-14627, CVE-2020-10718, CVE-2020-10740, CVE-2020-1719, CVE-2020-25640, CVE-2021-3503, CVE-2021-3536, CVE-2022-1278,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:32:07 MSK 
Please patch CVEs for package wildfly version 10.1.0
  
INFO (CVEs are): wildfly 10.1.0
 cves found
CVE-2018-14627
Desc: The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/>
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-14627
Severity: MEDIUM
CVE-2020-10718
Desc: A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10718
Severity: HIGH
CVE-2020-10740
Desc: A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10740
Severity: HIGH
CVE-2020-1719
Desc: A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-1719
Severity: MEDIUM
CVE-2020-25640
Desc: A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-25640
Severity: MEDIUM
CVE-2021-3503
Desc: A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3503
Severity: MEDIUM
CVE-2021-3536
Desc: A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-3536
Severity: MEDIUM
CVE-2022-1278
Desc: A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-1278
Severity: HIGH
Comment 1 Svyatoslav Matveev 2023-12-12 02:18:19 MSK 
Входит в java-стек, который пока обновляться не будет