15 critical vulnerabilities in Red Hat JBoss Enterprise Application Platform make it an easy target for ransomware

Information security specialists report the detection of multiple vulnerabilities in JBoss Enterprise Application Platfom (EAP), an open-source Java EE-based application server runtime platform used to create, deploy, and host highly transactional Java applications and services developed and maintained by Red Hat.

According to the report, these flaws are considered critical because their successful exploitation would allow the deployment of dangerous hacking scenarios, so it is vital that users of affected implementations update as soon as possible.

Below are brief descriptions of the detected flaws and their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-1319: EAP 7 incorrectly sends two response packets with the reuse flag set even though JBoss EAP closes the connection, allowing remote threat actors to deploy a denial-of-service (DoS) attack.

This is a medium severity vulnerability and received a CVSS score of 6.5/10.

CVE-2022-24785: Incorrect input validation when processing directory cross-streams within the npm version of Moment.js would allow remote attackers to send specially crafted HTTP requests and read arbitrary files on the system.

The vulnerability received a CVSS score of 6.5/10.

CVE-2022-23913: The application does not adequately control the consumption of internal resources, which would allow remote hackers to deploy DoS attacks.

The flaw received a CVSS score of 6.5/10 and is considered a risk of medium severity.

CVE-2022-23437: An infinite loop when parsing XML documents would allow remote hackers to generate a DoS condition through a specially crafted XML document.

This is a medium severity vulnerability and received a CVSS score of 6.5/10.

CVE-2022-23221: Insecure input validation when processing serialized data within jdbc:h2:mem would allow hackers to pass a specially crafted JDBC URL with the substring IGNORE_UNKNOWN_SETTINGS=TRUE; FORBID_CREATION=FALSE;INIT=RUNSCRIPT, forcing arbitrary code execution on the affected system.

This is a high severity flaw and received a CVSS score of 8.5/10.

CVE-2022-21363: Incorrect input validation within the Connector/J component in MySQL Connectors would allow a high-privilege user to exploit this error to execute arbitrary code on the affected system.

This is a flaw of medium severity and received a CVSS score of 5.8/10.

CVE-2022-21299: Incorrect input validation within the JAXP component in Oracle GraalVM Enterprise Edition would allow unauthenticated remote attackers to generate service interruptions.

This flaw received a CVSS score of 4.6/10 and is considered a medium severity error.

CVE-2022-0866: Incorrect authorization would allow disclosure of the caller’s principal, which can be returned from EJBComponent#getCallerPrincipal.

This is a low-severity vulnerability and received a CVSS score of 3.2/10.

CVE-2020-36518: A limit error when processing untrusted entries would allow remote threat actors to trigger an out-of-bounds write and force a DoS condition.

This is a medium severity vulnerability and received a CVSS score of 6.5/10.

CVE-2022-0853: A memory leakage bug would allow remote attackers to deploy DoS attacks on affected systems.

The flaw received a CVSS score of 6.5/10.

CVE-2022-0084: The main/java/org/xnio/StreamConnection closed read notification method.java stores data in the debug log instead of stderr. Because of this practice, an attacker could force the registration of a huge amount of data, consuming all the available space and generating a DoS condition.

This is a low-severity vulnerability and received a CVSS score of 3.2/10.

CVE-2021-43797: Improper validation of HTTP requests when processing control characters present at the beginning or end of the header name would allow threat actors to send specially crafted HTTP requests to the server to perform HTTP header smuggling attacks.

This flaw received a CVSS score of 5.7/10 and is considered a medium severity error.

CVE-2021-42392: Insecure input validation when processing serialized data within the org.h2.util.JdbcUtils.getConnection method would allow threat actors to pass a JNDI driver name and URL leading to LDAP or RMI servers and execute arbitrary code.

This is a critical security bug and received a CVSS score of 8.5/10.

CVE-2021-37137: Incorrect input validation within the Netty component in Oracle Commerce guided search would allow unauthenticated remote attackers to deploy DoS attacks.

The vulnerability received a CVSS score of 6.5/10.

CVE-2021-37136: The application does not properly control the consumption of internal resources in the Bzip2 decompression decoder function, which would allow threat actors to deploy DoS attacks.

This is a medium severity error and received a CVSS score of 6.5/10.

According to the report, the flaws reside in all versions of JBoss Enterprise Application Platform between v7.4.0 and v7.4.4. As already mentioned, this is a critical security risk, so it is best to apply the available patches as soon as possible; the good news is that no cases of active exploitation have been detected.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.