CVE-2020-27822 – wildfly: Potential Memory leak in Wildfly when using OpenTracing
https://notcve.org/view.php?id=CVE-2020-27822
A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability. Se encontró un fallo en Wildfly afectando a versiones 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final y 21.0.0.Final. • https://bugzilla.redhat.com/show_bug.cgi?id=1904060 https://access.redhat.com/security/cve/CVE-2020-27822 https://issues.redhat.com/browse/WFLY-14094 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2020-25640 – wildfly: resource adapter logs plaintext JMS password at warning level on connection error
https://notcve.org/view.php?id=CVE-2020-25640
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. Se detectó un fallo en WildFly versiones anteriores a 21.0.0.Final donde, el adaptador de Recursos registra una contraseña JMS de texto plano en el nivel de advertencia en caso de error de conexión, insertando información confidencial en el archivo de registro A flaw was found in wildfly. JMS passwords are logged by the resource adaptor in plain text at the warning level when a connection error occurs allowing any user that has access to the log to gain access to this sensitive information. The highest threat from this vulnerability is to data confidentiality. • https://bugzilla.redhat.com/show_bug.cgi?id=1881637 https://github.com/amqphub/amqp-10-resource-adapter/issues/13 https://security.netapp.com/advisory/ntap-20201210-0001 https://access.redhat.com/security/cve/CVE-2020-25640 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-25689 – wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
https://notcve.org/view.php?id=CVE-2020-25689
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el controlador de host intenta reconectarse en un bucle, generando nuevas conexiones que no son cerradas apropiadamente mientras no es capaz de conectar al controlador de dominio. Este fallo permite a un atacante causar un problema de Falta de Memoria (OOM), conllevando a una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 https://security.netapp.com/advisory/ntap-20201123-0006 https://access.redhat.com/security/cve/CVE-2020-25689 https://bugzilla.redhat.com/show_bug.cgi?id=1893070 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2020-10718 – wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API
https://notcve.org/view.php?id=CVE-2020-10718
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en Wildfly versiones anteriores a wildfly-embedded-13.0.0.Final, donde la API del proceso administrado incorporado presenta una configuración expuesta del Thread Context Classloader (TCCL). Esta configuración se expone como un método público, que puede omitir al administrador de seguridad. • https://bugzilla.redhat.com/show_bug.cgi?id=1828476 https://access.redhat.com/security/cve/CVE-2020-10718 • CWE-749: Exposed Dangerous Method or Function •
CVE-2020-10740 – wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
https://notcve.org/view.php?id=CVE-2020-10740
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. Se encontró una vulnerabilidad en Wildfly en versiones anteriores a 20.0.0.Final, donde es posible un ataque de deserialización remota en Enterprise Application Beans (EJB) debido a una falta de capacidades de validación y filtrado en wildfly A flaw was found in Wildfly. A remote deserialization attack is possible in the Enterprise Application Beans (EJB) due to lack of validation/filtering capabilities in wildfly. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availablity. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-10740 https://bugzilla.redhat.com/show_bug.cgi?id=1834512 • CWE-502: Deserialization of Untrusted Data •