CVE-2023-3171: Eap-7: heap exhaustion via deserialization
First published: Thu Jun 08 2023(Updated: )
A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Red Hat JBoss Enterprise Application Platform | =7.4 | |
| Any of | ||
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 | |
| Red Hat JBoss Enterprise Application Platform |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2023:5484
- https://access.redhat.com/errata/RHSA-2023:5485
- https://access.redhat.com/errata/RHSA-2023:5486
- https://access.redhat.com/errata/RHSA-2023:5488
- https://access.redhat.com/security/cve/CVE-2023-3171
- https://bugzilla.redhat.com/show_bug.cgi?id=2213639
- https://access.redhat.com/errata/RHSA-2024:10208
- https://access.redhat.com/errata/RHSA-2024:10207
Frequently Asked Questions
What is the severity of CVE-2023-3171?
CVE-2023-3171 is considered a high severity vulnerability due to the potential for heap exhaustion caused by deserialization flaws.
How do I fix CVE-2023-3171?
To fix CVE-2023-3171, you should upgrade to the latest patched version of Red Hat JBoss Enterprise Application Platform or apply the recommended security updates.
What impact does CVE-2023-3171 have on my application?
CVE-2023-3171 can lead to denial of service by exhausting heap memory if exploited through malicious requests.
Which versions of JBoss are affected by CVE-2023-3171?
CVE-2023-3171 specifically affects Red Hat JBoss Enterprise Application Platform version 7.4.
Are there any workarounds for CVE-2023-3171?
While a patch is the most effective solution for CVE-2023-3171, mitigating the risk may involve limiting access to the application to trusted sources.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/author
- agent/event
- agent/title
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3171
- agent/last-modified-date
- agent/references
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/red hat jboss enterprise application platform
- version/red hat jboss enterprise application platform/7.4
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0