A flaw was found in JBoss Remoting. When a malicious attacker could cause threads holding up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ack messages, or just tamper with jboss-remoting code, deleting the lines that send the ack message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat Data Grid 7 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Marking Red Hat Fuse 7 as having a low impact, Fuse 7 distributes affected versions of JBoss Remoting via Fuse on EAP, however the functionality of these artifacts is not used by Fuse.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35510
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.6 Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974
This issue has been addressed in the following products: Red Hat EAP-XP via EAP 7.3.x base Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134