Wildfly Log File Viewer Directory Traversal Vulnerability


Description   (:A directory traversal vulnerability was reported in Wildfly.:An authenticated remote attacker could exploit it by a "/../" sequence added to an URI in order to read arbitrary files with www-data privileges.::This vulnerability is located in the log file viewer.)
     
Vulnerable Products   Vulnerable OS:
Enterprise Application Platform (JBoss Inc.) - 6 EL5, 6 EL6, 6 EL7, 6.4, 6.4.0, ..., 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8Enterprise Linux 6 (Red Hat) - HPC Node, ServerEnterprise Linux 7 (Red Hat) - ComputeNode, Server
     
Solution   Fixed eap7-jboss-ec2-eap packages for RedHat Enterprise Linux 6 and 7 are available.
     
CVE   CVE-2017-2595
     
References   - RHSA-2017:1409-1 : Red Hat JBoss Enterprise Application Platform security update
https://rhn.redhat.com/errata/RHSA-2017-1409.html
- RHSA-2017:1410-1 : JBoss Enterprise Application Platform 7.0.6 on Red Hat Enterprise Linux 6
http://rhn.redhat.com/errata/RHSA-2017-1410.html
- RHSA-2017:1411-1 : JBoss Enterprise Application Platform 7.0.6 on Red Hat Enterprise Linux 7
http://rhn.redhat.com/errata/RHSA-2017-1411.html
- RHSA-2017:1412-1 : eap7-jboss-ec2-eap security update
http://rhn.redhat.com/errata/RHSA-2017-1412.html
- RHSA-2017:1550 : Red Hat JBoss Enterprise Application Platform 6.4.16 update on RHEL 5
http://rhn.redhat.com/errata/RHSA-2017-1550.html
- RHSA-2017:1551 : Red Hat JBoss Enterprise Application Platform security update
http://rhn.redhat.com/errata/RHSA-2017-1551.html
- RHSA-2017:1548 : Red Hat JBoss Enterprise Application Platform 6.4.16 update on RHEL 7
http://rhn.redhat.com/errata/RHSA-2017-1548.html
- RHSA-2017:1549 : Red Hat JBoss Enterprise Application Platform 6.4.16 update on RHEL 6
http://rhn.redhat.com/errata/RHSA-2017-1549.html
- RHSA-2017:1552 : jboss-ec2-eap security, bug fix, and enhancement update
http://rhn.redhat.com/errata/RHSA-2017-1552.html
- RHSA-2017:3456-01 : Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
https://access.redhat.com/errata/RHSA-2017:3456.html
- RHSA-2017:3454-01 : Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
https://access.redhat.com/errata/RHSA-2017:3454.html
- RHSA-2017:3458-01 : Important: eap7-jboss-ec2-eap security update
https://access.redhat.com/errata/RHSA-2017:3458.html
- RHSA-2017:3455-01 : Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update
https://access.redhat.com/errata/RHSA-2017:3455.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2017-06-07 

 Target Type 
Server 

 Possible exploit 
Remote