Bug 1255597 (CVE-2015-5220)

Summary: CVE-2015-5220 OOME from EAP 6 http management console
Product: [Other] Security Response Reporter: Timothy Walsh <twalsh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aogburn, asantos, cdewolf, chaowan, dandread, darran.lofthouse, jason.greene, jawilson, jshepherd, lgao, miburman, myarboro, pgier, pslavice, rsvoboda, security-response-team, slong, spinder, theute, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:43:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1255602, 1278255    
Bug Blocks: 1255595, 1271191, 1278258    

Description Timothy Walsh 2015-08-21 05:20:59 UTC 
no sanity checks and unbounded header sizes/counts leads to OOME from EAP 6 http management console
Comment 3 Timothy Walsh 2015-10-14 07:34:56 UTC 
Acknowledgement:

This issue was discovered by Aaron Ogburn of Red Hat GSS Middleware Team
Comment 4 errata-xmlrpc 2015-10-15 15:29:05 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html
Comment 5 errata-xmlrpc 2015-10-15 15:42:56 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html
Comment 6 errata-xmlrpc 2015-10-15 15:44:00 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html
Comment 7 errata-xmlrpc 2015-10-15 16:00:17 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html
Comment 9 errata-xmlrpc 2016-07-27 15:30:09 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:1519 https://rhn.redhat.com/errata/RHSA-2016-1519.html