drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in JBoss
Name: |
Mehrere Probleme in JBoss |
|
ID: |
RHSA-2018:0480-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat JBoss Enterprise Application Platform |
|
Datum: |
Mo, 12. März 2018, 19:16 |
|
Referenzen: |
https://access.redhat.com/security/cve/CVE-2018-1048
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/installation_guide/
https://access.redhat.com/security/cve/CVE-2017-15095
https://access.redhat.com/security/cve/CVE-2017-12174
https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2017-15089
https://access.redhat.com/security/cve/CVE-2017-12196
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/
https://access.redhat.com/security/cve/CVE-2017-7561
https://access.redhat.com/security/cve/CVE-2018-5968 |
|
Applikationen: |
JBoss |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: JBoss Enterprise Application Platform 7.1.1 for RHEL 7 Advisory ID: RHSA-2018:0480-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:0480 Issue date: 2018-03-12 CVE Names: CVE-2017-7561 CVE-2017-12174 CVE-2017-12196 CVE-2017-15089 CVE-2017-15095 CVE-2017-17485 CVE-2018-1048 CVE-2018-5968 =====================================================================
1. Summary:
An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Server - noarch
3. Description:
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174)
* infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089)
* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095)
* jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)
* resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561)
* undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196)
* undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048)
* jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1483823 - CVE-2017-7561 resteasy: Vary header not added by CORS filter leading to cache poisoning 1498378 - CVE-2017-12174 artemis/hornetq: memory exhaustion via UDP and JGroups discovery 1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication 1503610 - CVE-2017-15089 infinispan: Unsafe deserialization of malicious object injected into data cache 1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) 1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) 1534343 - CVE-2018-1048 undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser 1538332 - CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
6. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-7532 - Tracker bug for the EAP 7.1.1 release for RHEL-7
7. Package List:
Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Server:
Source: eap7-activemq-artemis-1.5.5.009-1.redhat_1.1.ep7.el7.src.rpm eap7-apache-cxf-3.1.13-1.redhat_1.1.ep7.el7.src.rpm eap7-glassfish-jsf-2.2.13-6.SP5_redhat_1.1.ep7.el7.src.rpm eap7-hibernate-5.1.12-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-infinispan-8.2.9-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-ironjacamar-1.4.7-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-jackson-annotations-2.8.11-1.redhat_1.1.ep7.el7.src.rpm eap7-jackson-core-2.8.11-1.redhat_1.1.ep7.el7.src.rpm eap7-jackson-databind-2.8.11-1.redhat_1.1.ep7.el7.src.rpm eap7-jackson-jaxrs-providers-2.8.11-1.redhat_1.1.ep7.el7.src.rpm eap7-jackson-module-jaxb-annotations-2.8.11-1.redhat_1.1.ep7.el7.src.rpm eap7-jackson-modules-java8-2.8.11-1.redhat_1.1.ep7.el7.src.rpm eap7-jboss-logmanager-2.0.8-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-jboss-server-migration-1.0.3-6.Final_redhat_6.1.ep7.el7.src.rpm eap7-jbossws-cxf-5.1.10-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-narayana-5.5.31-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-picketlink-bindings-2.5.5-10.SP9_redhat_1.1.ep7.el7.src.rpm eap7-picketlink-federation-2.5.5-10.SP9_redhat_1.1.ep7.el7.src.rpm eap7-resteasy-3.0.25-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-undertow-1.4.18-4.SP2_redhat_1.1.ep7.el7.src.rpm eap7-undertow-jastow-2.0.3-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-wildfly-7.1.1-4.GA_redhat_2.1.ep7.el7.src.rpm eap7-wildfly-elytron-1.1.8-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-wildfly-http-client-1.0.9-1.Final_redhat_1.1.ep7.el7.src.rpm eap7-wildfly-javadocs-7.1.1-3.GA_redhat_2.1.ep7.el7.src.rpm eap7-wss4j-2.1.11-1.redhat_1.1.ep7.el7.src.rpm eap7-xml-security-2.0.9-1.redhat_1.1.ep7.el7.src.rpm
noarch: eap7-activemq-artemis-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-cli-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-commons-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-core-client-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-dto-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-hornetq-protocol-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rp m eap7-activemq-artemis-hqclient-protocol-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rp m eap7-activemq-artemis-jdbc-store-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-jms-client-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-jms-server-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-journal-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-native-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-ra-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-selector-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-server-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rpm eap7-activemq-artemis-service-extensions-1.5.5.009-1.redhat_1.1.ep7.el7.noarch.rp m eap7-apache-cxf-3.1.13-1.redhat_1.1.ep7.el7.noarch.rpm eap7-apache-cxf-rt-3.1.13-1.redhat_1.1.ep7.el7.noarch.rpm eap7-apache-cxf-services-3.1.13-1.redhat_1.1.ep7.el7.noarch.rpm eap7-apache-cxf-tools-3.1.13-1.redhat_1.1.ep7.el7.noarch.rpm eap7-glassfish-jsf-2.2.13-6.SP5_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-5.1.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-core-5.1.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-entitymanager-5.1.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-envers-5.1.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-infinispan-5.1.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-hibernate-java8-5.1.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-8.2.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-cachestore-jdbc-8.2.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-cachestore-remote-8.2.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-client-hotrod-8.2.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-commons-8.2.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-infinispan-core-8.2.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-common-api-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-common-impl-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-common-spi-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-core-api-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-core-impl-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-deployers-common-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-jdbc-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-ironjacamar-validator-1.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-annotations-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-core-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-databind-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-datatype-jdk8-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-datatype-jsr310-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-jaxrs-base-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-jaxrs-json-provider-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-module-jaxb-annotations-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jackson-modules-java8-2.8.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-jboss-logmanager-2.0.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-jboss-server-migration-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rpm eap7-jboss-server-migration-cli-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rpm eap7-jboss-server-migration-core-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rpm eap7-jboss-server-migration-eap6.4-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-eap6.4-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly10.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly10.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly10.1-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly8.2-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly8.2-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly8.2-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly9.0-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly9.0-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jboss-server-migration-wildfly9.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el7.noarch.rp m eap7-jbossws-cxf-5.1.10-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-compensations-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jbosstxbridge-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jbossxts-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jts-idlj-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-jts-integration-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-api-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-bridge-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-integration-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-restat-util-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-narayana-txframework-5.5.31-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-api-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-bindings-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-common-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-config-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-federation-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-idm-api-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-idm-impl-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-impl-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-picketlink-wildfly8-2.5.5-10.SP9_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-atom-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-cdi-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-client-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-crypto-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jackson-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jackson2-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jaxb-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jaxrs-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jettison-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jose-jwt-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-jsapi-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-json-p-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-multipart-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-spring-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-resteasy-validator-provider-11-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rp m eap7-resteasy-yaml-provider-3.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-undertow-1.4.18-4.SP2_redhat_1.1.ep7.el7.noarch.rpm eap7-undertow-jastow-2.0.3-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-wildfly-7.1.1-4.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-wildfly-elytron-1.1.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-wildfly-http-client-common-1.0.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-wildfly-http-ejb-client-1.0.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-wildfly-http-naming-client-1.0.9-1.Final_redhat_1.1.ep7.el7.noarch.rpm eap7-wildfly-http-transaction-client-1.0.9-1.Final_redhat_1.1.ep7.el7.noarch.rp m eap7-wildfly-javadocs-7.1.1-3.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-wildfly-modules-7.1.1-4.GA_redhat_2.1.ep7.el7.noarch.rpm eap7-wss4j-2.1.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-wss4j-bindings-2.1.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-wss4j-policy-2.1.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-wss4j-ws-security-common-2.1.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-wss4j-ws-security-dom-2.1.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-wss4j-ws-security-policy-stax-2.1.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-wss4j-ws-security-stax-2.1.11-1.redhat_1.1.ep7.el7.noarch.rpm eap7-xml-security-2.0.9-1.redhat_1.1.ep7.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
8. References:
https://access.redhat.com/security/cve/CVE-2017-7561 https://access.redhat.com/security/cve/CVE-2017-12174 https://access.redhat.com/security/cve/CVE-2017-12196 https://access.redhat.com/security/cve/CVE-2017-15089 https://access.redhat.com/security/cve/CVE-2017-15095 https://access.redhat.com/security/cve/CVE-2017-17485 https://access.redhat.com/security/cve/CVE-2018-1048 https://access.redhat.com/security/cve/CVE-2018-5968 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/installation_guide/
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFaprMLXlSAg2UNWIIRAhCGAJ9snEY0uuNrrVqmM0aidwntJhDexgCcCZsg Wu8sAuppGZzph73KulIH0Yc= =CxJV -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
|
|
|
|