Description

It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted.

Remediation

References

CVE-2016-8657

Related Vulnerabilities

WordPress Plugin NextGEN Gallery-WordPress Gallery Unspecified Vulnerability (2.2.46)

Apache httpOnly cookie disclosure

WordPress Plugin UpdraftPlus WordPress Backup Cross-Site Scripting (1.13.4)

WordPress Plugin Ad Blocker Notify Lite Cross-Site Scripting (2.4.0)

Ruby Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2017-17790)

Severity

High

Classification

CVE-2016-8657 CWE-264 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities