CVE-2015-5220 CVE-2015-5188 CVE-2015-5178

Document ID : KB000121610
Last Modified Date : 28/11/2018
Show Technical Document Details
Question:
Is Process Automation vulnerable to the following CVEs?

CVE-2015-5220 
CVE-2015-5188 
CVE-2015-5178 


CVE-2015-5178: The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

CVE-2015-5188: Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission.

CVE-2015-5220: The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption) via a large request header.
Answer:
Remediation in 4.3 SP02 for the following CVEs 
CVE-2015-5220 
CVE-2015-5188 
CVE-2015-5178 

These had to do with the Management console. 
In a 4.3 SP02, the management folder originally located at <PAM_Installation_Location>>\server\c2o\deploy is no longer present. 

This was addressed with 4.3 SP2 and 4.3 SP3. Process Automation is not vulnerable to the CVEs mentioned.