RHSA-2024:51 JBoss EAP 7.4 Security Advisory: CVE-2024-27316 DoS and Marvin Attack Fixes

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. **Vulnerability ID**: RHSA-2024:51 2. **Release Date**: 2024-08-08 3. **Type/Severity**: Security Advisory, Important Update 4. **Affected Product**: JBoss Enterprise Application Platform 7.4 for RHEL 8 x86_64 5. **Fixed Vulnerabilities**: - BZ-2268277: CVE-2024-27316 httpd: CONTINUATION frames DoS - BZ-2272907: CVE-2024-29025 netty-codec-http: Allocation of Resources Without Limits or Throttling - BZ-2274437: CVE-2024-3653 undertow: LearningPushHandler can lead to remote memory DoS attacks - BZ-2276360: CVE-2024-30171 bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack) - BZ-2292211: CVE-2024-5971 undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket - BZ-2293025: CVE-2024-30172 org.bouncycastle:bcpov-jdk18on: Infinite loop in ED25519 verification in the ScalarUtil class - BZ-2293028: CVE-2024-29857 org.bouncycastle: Importing an EC certificate with crafted F2m parameters may lead to Denial of Service - JBEAP-26834: Tracker bug for the EAP 7.4.18 release for RHEL-8 - JBEAP-26292: (7.4.z) Upgrade Ironjacamar from 1.5.16.Final-redhat-00001 to 1.5.17.Final-redhat-00001 - JBEAP-27017: (7.4.z) Upgrade HAL from 3.3.22.Final-redhat-00001 to 3.3.23.Final-redhat-00001 - JBEAP-27056: (GSS)(7.4.z) Upgrade Jandex from jandex-2.4.4.Final-redhat-00001 to jandex-2.4.5.Final-redhat-00001 - JBEAP-27078: (7.4.z) Upgrade Wildfly Core from 15.0.36.Final-redhat-00001 to 15.0.37.Final-redhat-00001 - JBEAP-27079: (7.4.z) Upgrade undertow from 2.2.32.SP1-redhat-00001 to 2.2.33.SP1-redhat-00001 - JBEAP-27101: (7.4.z) Upgrade log4j-boss-logmanager from 1.2.2.Final-redhat-00002 to 1.3.1.Final-redhat-00002 - JBEAP-27181: (7.4.z) Upgrade bouncycastle from 1.76.0.redhat-00001 to 1.78.1.redhat-00002 - JBEAP-27290: (7.4.z) Upgrade Netty to 4.1.108.Final and netty-xnio-transport to 0.1.10.Final - JBEAP-27352: (7.4.z) Upgrade JBoss Remoting from 5.0.27.SP2-redhat-00001 to 5.0.29.Final-redhat-00001 - JBEAP-27353: (7.4.z) Upgrade XNIO from 3.8.12.SP2-redhat-00001 to 3.8.16.Final-redhat-00001 6. **CVE IDs**: - CVE-2024-3653 - CVE-2024-5971 - CVE-2024-27316 - CVE-2024-29025 - CVE-2024-29857 - CVE-2024-30171 - CVE-2024-30172 This information helps users understand the details of the vulnerability, the affected products, the list of fixed vulnerabilities, and the associated CVE IDs, enabling them to perform necessary security updates and remediation.

Goal Reached Thanks to every supporter — we hit 100%!

RHSA-2024:51 JBoss EAP 7.4 Security Advisory: CVE-2024-27316 DoS and Marvin Attack Fixes