Red Hat Bugzilla – Bug 1530457
CVE-2018-1041 jboss-remoting: High CPU Denial of Service
Last modified: 2018-10-19 17:45:52 EDT
A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10.Final-redhat-1, reads from an empty buffer. An attacker could use this flaw to cause denial of service via high CPU caused by an infinite loop.
By default JBoss EAP 7.x doesn't expose port 4447 as it uses HTTP-REMOTING over port 8080. Reference: https://access.redhat.com/solutions/2360971
I couldn't reproduce this issue on EAP 7.0.8 or 7.1.0 after exposing the 'native' connector as explained in previous comment (#4).
Acknowledgements: (none)
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0269 https://access.redhat.com/errata/RHSA-2018:0269
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2018:0268 https://access.redhat.com/errata/RHSA-2018:0268
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2018:0271 https://access.redhat.com/errata/RHSA-2018:0271
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:0270 https://access.redhat.com/errata/RHSA-2018:0270
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2018:0275 https://access.redhat.com/errata/RHSA-2018:0275