Kunjan Rathod

**Name of the Vulnerable Software and Affected Versions** Wildfly versions prior to 17.0 **Description** A flaw was found in Wildfly, where an incorrect JBOSS LOCAL USER challenge location when using the elytron configuration may lead to JBOSS LOCAL USER access to all users on the machine. The highest threat from this issue is to confidentiality, integrity, and availability. **Recommendations** For versions prior to 17.0, update to version 17.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the elytron configuration to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Artemis in EAP 7 (affected versions not specified) Description: A flaw in the HornetQ component of Artemis in EAP 7 allows a remote attacker to execute arbitrary code with the permissions of the application using a JMS ObjectMessage. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) versions (affected versions not specified) **Description** A security issue has reappeared in JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) due to regression, allowing an attacker to exploit it by modifying the PID file in /var/run/jboss-eap/. This modification enables the init.d script to terminate any process as root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Wildfly (affected versions not specified) Description: A flaw was found in the JBoss EJB client, which has publicly accessible privileged actions. This may lead to information disclosure on the server it is deployed on, with the highest threat being to data confidentiality. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JBossWeb versions prior to 7.5.31.Final-redhat-3 **Description** A flaw in JBossWeb allows for a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame, affecting system availability. **Recommendations** For versions prior to 7.5.31.Final-redhat-3, update to version 7.5.31.Final-redhat-3 or later to resolve the issue. As a temporary workaround, consider restricting access to WebSocket frames to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Undertow versions 2.0.29.Final and before **Description** A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009. This issue allows a remote, unauthenticated attacker to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution. The vulnerability is related to insufficient access control in the AJP Connector service. **Recommendations** For Undertow versions 2.0.29.Final and before, update to version 2.0.30.Final to resolve the issue. As a temporary workaround, consider disabling the AJP connector or restricting access to the default AJP configuration port 8009 until a patch is applied. Additionally, restrict file uploads on the vulnerable server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Wildfly versions 7.2.0.GA through 7.2.5.CR2 **Description** A flaw was found when an OpenSSL security provider is used with Wildfly, where the 'enabled-protocols' value in the Wildfly configuration isn't honored. This could allow an attacker to target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption and leading to a leak of the data being passed over the network. **Recommendations** For Wildfly version 7.2.0.GA, update to a fixed version to resolve the issue. For Wildfly version 7.2.3.GA, update to a fixed version to resolve the issue. For Wildfly version 7.2.5.CR2, update to a fixed version to resolve the issue. As a temporary workaround, consider restricting the use of the OpenSSL security provider until a patch is available. Restrict access to the vulnerable configuration to minimize the risk of exploitation.