Dennis Reed

**Name of the Vulnerable Software and Affected Versions** JBoss EAP versions 4.x through 5.x **Description** The issue allows remote attackers to execute arbitrary code via a crafted serialized payload. This is related to the PooledInvokerServlet in the affected software. **Recommendations** For JBoss EAP versions 4.x through 5.x, consider disabling the PooledInvokerServlet as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** JGroups versions prior to 4.0 JGroups versions 3.6.x prior to 3.6.10.Final JGroups versions 3.2.x prior to 3.2.16.Final **Description** The issue allows remote attackers to bypass security restrictions by not requiring necessary headers for the ENCRYPT and AUTH protocols from new nodes joining the cluster. This enables attackers to send and receive messages within the cluster, potentially leading to information disclosure, message spoofing, or further attacks. **Recommendations** For JGroups versions prior to 3.2.16.Final, update to version 3.2.16.Final or later. For JGroups versions prior to 3.6.10.Final, update to version 3.6.10.Final or later. For JGroups versions prior to 4.0, update to version 4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 6.0.0 through 6.0.44 Apache Tomcat versions 7.0.0 through 7.0.64 Apache Tomcat versions 8.0.0 through 8.0.26 **Description** The issue is related to a directory traversal vulnerability in the RequestUtil.java file. This vulnerability allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. The vulnerability can be exploited by using the "/.." symbols in the path name, which can allow an attacker to obtain a directory listing for the directory in which the web application had been deployed, typically $CATALINA BASE/webapps. This should not be possible when running under a security manager. **Recommendations** For Apache Tomcat versions 6.0.0 through 6.0.44, update to version 6.0.45 or later. For Apache Tomcat versions 7.0.0 through 7.0.64, update to version 7.0.65 or later. For Apache Tomcat versions 8.0.0 through 8.0.26, update to version 8.0.27 or later. As a temporary workaround, consider restricting access to the getResource, getResourceAsStream, and getResourcePaths methods to minimize the risk of exploitation.