Resource Exhaustion Affecting eap7-jboss-server-migration package, versions <0:1.7.2-5.Final_redhat_00006.1.el8eap


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
1.09% (61st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL8-EAP7JBOSSSERVERMIGRATION-5316244
  • published30 Mar 2023
  • disclosed9 Dec 2020

Introduced: 9 Dec 2020

CVE-2020-35510  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade RHEL:8 eap7-jboss-server-migration to version 0:1.7.2-5.Final_redhat_00006.1.el8eap or higher.
This issue was patched in RHSA-2021:0874.

NVD Description

Note: Versions mentioned in the description apply only to the upstream eap7-jboss-server-migration package and not the eap7-jboss-server-migration package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redhat-00001. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ACK messages, or just tamper with jboss-remoting code, deleting the lines that send the ACK message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVSS Base Scores

version 3.1