Published on: 27 March 2020
Red Hat has released new versions of JBoss Enterprise Application Platform to address multiple vulnerabilities in the Apache JServ Protocol (AJP), Apache Thrift and OpenSSL security provider. A remote attacker could exploit the vulnerabilities by sending specially crafted requests or uploading malicious files to an affected system.
Reports indicate that the vulnerability (CVE-2020-1745) allows a remote, unauthenticated attacker to execute arbitrary code on affected system through specially crafted requests. Users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks. For systems hosted at outsourced platforms, system owners should confirm with the web hosting service providers that the relevant patches have been applied.
Successful exploitation of the vulnerability could lead to denial of service, remote code execution or information disclosure on an affected system.
Patches for affected systems are available and can be obtained through the subscription services. System administrators of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
https://www.hkcert.org/my_url/en/alert/20032601
https://access.redhat.com/errata/RHSA-2020:0961
https://access.redhat.com/errata/RHSA-2020:0962
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0210
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1745