osgirl / fusepoc20160217 Goto Github PK

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

path: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Library home page: http://commons.apache.org/collections/

Dependency Hierarchy:

• camel-xmljson-2.15.1.redhat-621084.jar (Root Library)
  • json-lib-2.4.jar
    • ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Vulnerability Details

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2017-11-09

URL: CVE-2015-7501

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501

Release Date: 2017-12-31

Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater

Vulnerable Library - activemq-client-5.11.1.jar

The ActiveMQ Client implementation

path: 2/repository/org/apache/activemq/activemq-client/5.11.1/activemq-client-5.11.1.jar,2/repository/org/apache/activemq/activemq-client/5.11.1/activemq-client-5.11.1.jar,2/repository/org/apache/activemq/activemq-client/5.11.1/activemq-client-5.11.1.jar

Dependency Hierarchy:

• ❌ activemq-client-5.11.1.jar (Vulnerable Library)

Vulnerability Details

Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

Publish Date: 2016-01-08

URL: CVE-2015-5254

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5254

Release Date: 2016-01-08

Fix Resolution: 5.13.0

Vulnerable Library - xalan-2.7.0.jar

null

path: /root/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar,/root/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar

Dependency Hierarchy:

• xom-1.2.5.jar (Root Library)
  • ❌ xalan-2.7.0.jar (Vulnerable Library)

Vulnerability Details

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Publish Date: 2014-04-15

URL: CVE-2014-0107

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0107

Release Date: 2014-04-15

Fix Resolution: 2.7.2

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

path: /root/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/root/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar

Library home page: http://jakarta.apache.org/httpcomponents/httpclient-3.x/

Dependency Hierarchy:

• camel-jetty-2.15.1.redhat-621084.jar (Root Library)
  • camel-jetty8-2.15.1.redhat-621084.jar
    • camel-http-2.15.1.redhat-621084.jar
      • ❌ commons-httpclient-3.1.jar (Vulnerable Library)

Vulnerability Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2012-11-04

URL: CVE-2012-5783

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://xforce.iss.net/xforce/xfdb/79984

Release Date: 2017-12-31

Fix Resolution: Apply the appropriate patch for your system. See References.

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af?diff=unified

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@038b471

Release Date: 2018-01-22

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1039769

Fix Resolution: The vendor issued a fix (2.8.11.1, 2.9.4).

The vendor advisories are available at:

FasterXML/jackson-databind#1680
FasterXML/jackson-databind#1723
FasterXML/jackson-databind#1737
FasterXML/jackson-databind#1855
FasterXML/jackson-databind#1899

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

path: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Library home page: http://commons.apache.org/collections/

Dependency Hierarchy:

• camel-xmljson-2.15.1.redhat-621084.jar (Root Library)
  • json-lib-2.4.jar
    • ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Vulnerability Details

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2015-12-15

URL: CVE-2015-6420

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/BEANUTILS-463

Release Date: 2014-05-24

Fix Resolution: Upgrade to version 1.9.2 or greater

Vulnerable Library - netty-3.9.6.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

path: /root/.m2/repository/io/netty/netty/3.9.6.Final/netty-3.9.6.Final.jar,/root/.m2/repository/io/netty/netty/3.9.6.Final/netty-3.9.6.Final.jar,/root/.m2/repository/io/netty/netty/3.9.6.Final/netty-3.9.6.Final.jar

Dependency Hierarchy:

• camel-netty-http-2.15.1.redhat-621084.jar (Root Library)
  • camel-netty-2.15.1.redhat-621084.jar
    • ❌ netty-3.9.6.Final.jar (Vulnerable Library)

Vulnerability Details

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Publish Date: 2017-10-18

URL: CVE-2015-2156

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2156

Fix Resolution: Upgrade to version netty 3.9.8.Final, netty 3.10.3.Final or greater

Vulnerability Details

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Publish Date: 2018-06-26

URL: CVE-2017-7658

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1040360

Fix Resolution: Red Hat has issued a fix (Data Grid 7.1.2).

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2018:0294

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1040693

Fix Resolution: The vendor has issued a fix as part of the April 2018 Critical Patch Update.

The vendor advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Publish Date: 2018-06-26

URL: CVE-2017-7656

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - netty-handler-4.0.27.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

path: /root/.m2/repository/io/netty/netty-handler/4.0.27.Final/netty-handler-4.0.27.Final.jar,/root/.m2/repository/io/netty/netty-handler/4.0.27.Final/netty-handler-4.0.27.Final.jar

Library home page: http://netty.io/netty-handler/

Dependency Hierarchy:

• camel-netty4-http-2.15.1.redhat-621084.jar (Root Library)
  • camel-netty4-2.15.1.redhat-621084.jar
    • ❌ netty-handler-4.0.27.Final.jar (Vulnerable Library)

Vulnerability Details

handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).

Publish Date: 2017-04-13

URL: CVE-2016-4970

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-4970

Release Date: 2017-04-13

Fix Resolution: 4.0.37.Final,4.1.1.Final

Vulnerable Library - activemq-client-5.11.1.jar

The ActiveMQ Client implementation

path: 2/repository/org/apache/activemq/activemq-client/5.11.1/activemq-client-5.11.1.jar,2/repository/org/apache/activemq/activemq-client/5.11.1/activemq-client-5.11.1.jar,2/repository/org/apache/activemq/activemq-client/5.11.1/activemq-client-5.11.1.jar

Dependency Hierarchy:

• ❌ activemq-client-5.11.1.jar (Vulnerable Library)

Vulnerability Details

TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.

Publish Date: 2018-09-10

URL: CVE-2018-11775

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041618

Fix Resolution: The vendor has issued a fix (5.15.6).

The vendor advisory is available at:

http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Publish Date: 2018-06-26

URL: CVE-2017-7657

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041194

Fix Resolution: The vendor has issued a fix (9.4.11.v20180605).

9.2.25.v20180606, 9.3.24.v20180605

The vendor advisory is available at:

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

path: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Library home page: http://commons.apache.org/collections/

Dependency Hierarchy:

• camel-xmljson-2.15.1.redhat-621084.jar (Root Library)
  • json-lib-2.4.jar
    • ❌ commons-collections-3.2.1.jar (Vulnerable Library)

Vulnerability Details

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Publish Date: 2015-11-18

URL: CVE-2015-4852

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1038292

Fix Resolution: The vendor has issued a fix as part of the April 2017 Oracle Critical Patch Update.

The vendor advisory is available at:

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Vulnerable Library - xercesImpl-2.8.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

path: /root/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar,/root/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar

Library home page: http://xerces.apache.org/xerces2-j

Dependency Hierarchy:

• xom-1.2.5.jar (Root Library)
  • ❌ xercesImpl-2.8.0.jar (Vulnerable Library)

Vulnerability Details

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Publish Date: 2009-08-06

URL: CVE-2009-2625

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id?1022680

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix for Windows, Solaris, and Linux:

• JDK and JRE 6 Update 15 or later
• JDK and JRE 5.0 Update 20 or later

Java SE releases are available at:

JDK and JRE 6 Update 15:

http://java.sun.com/javase/downloads/index.jsp

JRE 6 Update 15:

http://java.com/

through the Java Update tool for Microsoft Windows users.

JDK 6 Update 15 for Solaris is available in the following patches:

• Java SE 6 Update 15 (as delivered in patch 125136-16)
• Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit))
• Java SE 6_x86 Update 15 (as delivered in patch 125138-16)
• Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit))

JDK and JRE 5.0 Update 20:

http://java.sun.com/javase/downloads/index_jdk5.jsp

JDK 5.0 Update 20 for Solaris is available in the following patches:

• J2SE 5.0 Update 18 (as delivered in patch 118666-21)
• J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit))
• J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21)
• J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit))

Java SE for Business releases are available at:

http://www.sun.com/software/javaseforbusiness/getit_download.jsp

Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see:

http://www.java.com/en/download/help/5000010800.xml

The vendor's advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

path: /root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar,/root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar

Library home page: http://commons.apache.org/proper/commons-codec/

Dependency Hierarchy:

• camel-jetty-2.15.1.redhat-621084.jar (Root Library)
  • camel-jetty8-2.15.1.redhat-621084.jar
    • camel-http-2.15.1.redhat-621084.jar
      • ❌ commons-codec-1.10.jar (Vulnerable Library)

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@87d29af

Release Date: 2018-08-16

Fix Resolution: Replace or update the following files: VERSION, BeanDeserializerFactory.java

Vulnerable Library - jetty-util-8.1.16.v20140903.jar

Utility classes for Jetty

path: /root/.m2/repository/org/eclipse/jetty/jetty-util/8.1.16.v20140903/jetty-util-8.1.16.v20140903.jar,/root/.m2/repository/org/eclipse/jetty/jetty-util/8.1.16.v20140903/jetty-util-8.1.16.v20140903.jar

Dependency Hierarchy:

• camel-jetty-2.15.1.redhat-621084.jar (Root Library)
  • camel-jetty8-2.15.1.redhat-621084.jar
    • jetty-servlets-8.1.16.v20140903.jar
      • ❌ jetty-util-8.1.16.v20140903.jar (Vulnerable Library)

Vulnerability Details

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Publish Date: 2017-06-16

URL: CVE-2017-9735

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: jetty/jetty.project@f3751d7

Release Date: 2017-05-16

Fix Resolution: Replace or update the following file: Credential.java

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.4.3.jar

General data-binding functionality for Jackson: works on core streaming API

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.4.3/jackson-databind-2.4.3.jar

Library home page: http://wiki.fasterxml.com/JacksonHome

Dependency Hierarchy:

• camel-jackson-2.15.1.redhat-621084.jar (Root Library)
  • ❌ jackson-databind-2.4.3.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@bb45fb1#diff-727a6e8db3603b95f185697108af6c48

Release Date: 2017-12-19

Fix Resolution: Replace or update the following files: AbstractApplicationContext.java, AbstractPointcutAdvisor.java, BogusApplicationContext.java, SubTypeValidator.java, BogusPointcutAdvisor.java, IllegalTypesCheckTest.java

Vulnerable Library - xercesImpl-2.8.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

path: /root/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar,/root/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar

Library home page: http://xerces.apache.org/xerces2-j

Dependency Hierarchy:

• xom-1.2.5.jar (Root Library)
  • ❌ xercesImpl-2.8.0.jar (Vulnerable Library)

Vulnerability Details

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Publish Date: 2013-07-23

URL: CVE-2013-4002

CVSS 2 Score Details (7.1)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://security.gentoo.org/glsa/glsa-201406-32.xml

Release Date: 2014-06-29

Fix Resolution: All IcedTea JDK users should upgrade to the latest version >= icedtea-bin-6.1.13.3