CVE-2021-28170: Input Validation
First published: Thu Apr 01 2021(Updated: )
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el6ea | 0:2.10.0-1.redhat_00001.1.el6ea |
| redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el6ea | 0:3.2.16-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el6ea | 0:5.3.20-4.SP2_redhat_00001.1.el6ea |
| redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el6ea | 0:1.4.35-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el6ea | 0:3.0.3-2.redhat_00006.1.el6ea |
| redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el6ea | 0:1.3.9-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el6ea | 0:5.0.23-2.SP1_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el6ea | 0:1.7.2-9.Final_redhat_00010.1.el6ea |
| redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el6ea | 0:5.9.12-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el6ea | 0:5.0.3-9.Final_redhat_00008.1.el6ea |
| redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el6ea | 0:2.0.39-1.SP2_redhat_00001.1.el6ea |
| redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el6ea | 0:7.3.9-2.GA_redhat_00002.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el6ea | 0:1.0.29-1.Final_redhat_00002.1.el6ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el6ea | 0:1.1.14-2.Final_redhat_00001.1.el6ea |
| redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el7ea | 0:2.10.0-1.redhat_00001.1.el7ea |
| redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el7ea | 0:3.2.16-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el7ea | 0:5.3.20-4.SP2_redhat_00001.1.el7ea |
| redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el7ea | 0:1.4.35-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el7ea | 0:3.0.3-2.redhat_00006.1.el7ea |
| redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el7ea | 0:1.3.9-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el7ea | 0:5.0.23-2.SP1_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el7ea | 0:1.7.2-9.Final_redhat_00010.1.el7ea |
| redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el7ea | 0:5.9.12-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el7ea | 0:5.0.3-9.Final_redhat_00008.1.el7ea |
| redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el7ea | 0:2.0.39-1.SP2_redhat_00001.1.el7ea |
| redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el7ea | 0:7.3.9-2.GA_redhat_00002.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el7ea | 0:1.0.29-1.Final_redhat_00002.1.el7ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el7ea | 0:1.1.14-2.Final_redhat_00001.1.el7ea |
| redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el8ea | 0:2.10.0-1.redhat_00001.1.el8ea |
| redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el8ea | 0:3.2.16-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el8ea | 0:5.3.20-4.SP2_redhat_00001.1.el8ea |
| redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el8ea | 0:1.4.35-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el8ea | 0:3.0.3-2.redhat_00006.1.el8ea |
| redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el8ea | 0:1.3.9-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el8ea | 0:5.0.23-2.SP1_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el8ea | 0:1.7.2-9.Final_redhat_00010.1.el8ea |
| redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el8ea | 0:5.9.12-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el8ea | 0:5.0.3-9.Final_redhat_00008.1.el8ea |
| redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el8ea | 0:2.0.39-1.SP2_redhat_00001.1.el8ea |
| redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el8ea | 0:7.3.9-2.GA_redhat_00002.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el8ea | 0:1.0.29-1.Final_redhat_00002.1.el8ea |
| redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el8ea | 0:1.1.14-2.Final_redhat_00001.1.el8ea |
| Eclipse Jakarta Expression Language | <=3.0.3 | |
| Red Hat Build of Quarkus | <2.3.0 | |
| oracle communications Cloud native core policy | =1.14.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/eclipse-ee4j/el-ri/issues/155
- https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1965500
- https://access.redhat.com/errata/RHSA-2021:3471
- https://access.redhat.com/errata/RHSA-2021:3468
- https://access.redhat.com/errata/RHSA-2021:3466
- https://access.redhat.com/errata/RHSA-2021:3467
- https://access.redhat.com/security/cve/cve-2021-28170
- https://access.redhat.com/errata/RHSA-2021:3516
- https://access.redhat.com/errata/RHSA-2021:3534
- https://access.redhat.com/errata/RHSA-2021:3656
- https://access.redhat.com/errata/RHSA-2021:3658
- https://access.redhat.com/errata/RHSA-2021:3660
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2022:0589
- https://access.redhat.com/errata/RHSA-2022:1013
- https://access.redhat.com/errata/RHSA-2022:1029
- https://bugzilla.redhat.com/show_bug.cgi?id=1965497
- https://www.cve.org/CVERecord?id=CVE-2021-28170 https://nvd.nist.gov/vuln/detail/CVE-2021-28170 https://securitylab.github.com/advisories/GHSL-2020-021-jakarta-el/
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-28170
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/eclipse
- canonical/eclipse jakarta expression language
- version/eclipse jakarta expression language/3.0.3
- vendor/quarkus
- canonical/red hat build of quarkus
- vendor/oracle
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle weblogic server
- version/oracle weblogic server/14.1.1.0.0