Vulnerability Description
It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Jboss Enterprise Application Platform | 6.0.0 |
| Redhat | Enterprise Linux | 5 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2017-0826.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0827.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0828.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0829.htmlVendor Advisory
- http://www.securityfocus.com/bid/96896Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1609Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8657Issue TrackingVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0826.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0827.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0828.htmlVendor Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0829.htmlVendor Advisory
- http://www.securityfocus.com/bid/96896Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2018:1609Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8657Issue TrackingVendor Advisory
FAQ
What is CVE-2016-8657?
CVE-2016-8657 is a vulnerability with a CVSS score of 7.8 (HIGH). It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:...
How severe is CVE-2016-8657?
CVE-2016-8657 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-8657?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Enterprise Linux.