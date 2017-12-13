-----BEGIN PGP SIGNED MESSAGE-----

Red Hat Security Advisory



Synopsis: Important: eap7-jboss-ec2-eap security update

Advisory ID: RHSA-2017:3458-01

Product: Red Hat JBoss Enterprise Application Platform

Advisory URL: https://access.redhat.com/errata/RHSA-2017:3458

Issue date: 2017-12-13

CVE Names: CVE-2016-4978 CVE-2016-4993 CVE-2016-5406

CVE-2016-6311 CVE-2016-7046 CVE-2016-7061

CVE-2016-8627 CVE-2016-8656 CVE-2016-9589

CVE-2017-2595 CVE-2017-2666 CVE-2017-2670

CVE-2017-7525 CVE-2017-7536 CVE-2017-7559

CVE-2017-12165 CVE-2017-12167

=====================================================================



1. Summary:



An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss

Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6 and Red

Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux

7.



Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.



2. Relevant releases/architectures:



Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server - noarch

Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Server - noarch



3. Description:



The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss

Enterprise Application Platform running on the Amazon Web Services (AWS)

Elastic Compute Cloud (EC2).



With this update, the eap7-jboss-ec2-eap package has been updated to ensure

compatibility with Red Hat JBoss Enterprise Application Platform 7.1.



Refer to the JBoss Enterprise Application Platform 7.1 Release Notes,

linked to in the References section, for information on the most

significant bug fixes and enhancements included in this release.



Security Fix(es):



* A Denial of Service can be caused when a long request is sent to EAP 7.

(CVE-2016-7046)



* The jboss init script unsafe file handling resulting in local privilege

escalation. (CVE-2016-8656)



* A deserialization vulnerability via readValue method of ObjectMapper

which allows arbitrary code execution. (CVE-2017-7525)



* JMSObjectMessage deserializes potentially malicious objects allowing

Remote Code Execution. (CVE-2016-4978)



* Undertow is vulnerable to the injection of arbitrary HTTP headers, and

also response splitting. (CVE-2016-4993)



* The domain controller will not propagate its administrative RBAC

configuration to some slaves leading to escalate their privileges.

(CVE-2016-5406)



* Internal IP address disclosed on redirect when request header Host field

is not set. (CVE-2016-6311)



* Potential EAP resource starvation DOS attack via GET requests for server

log files. (CVE-2016-8627)



* Inefficient Header Cache could cause denial of service. (CVE-2016-9589)



* The log file viewer allows arbitrary file read to authenticated user via

path traversal. (CVE-2017-2595)



* HTTP Request smuggling vulnerability due to permitting invalid characters

in HTTP requests. (CVE-2017-2666)



* Websocket non clean close can cause IO thread to get stuck in a loop.

(CVE-2017-2670)



* Privilege escalation with security manager's reflective permissions when

granted to Hibernate Validator. (CVE-2017-7536)



* Potential http request smuggling as Undertow parses the http headers with

unusual whitespaces. (CVE-2017-7559)



* Properties based files of the management and the application realm are

world readable allowing access to users and roles information to all the

users logged in to the system. (CVE-2017-12167)



* RBAC configuration allows users with a Monitor role to view the sensitive

information. (CVE-2016-7061)



* Improper whitespace parsing leading to potential HTTP request smuggling.

(CVE-2017-12165)



Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting

CVE-2017-7525; Calum Hutton (NCC Group) and Mikhail Egorov (Odin) for

reporting CVE-2016-4993; Luca Bueti for reporting CVE-2016-6311; Gabriel

Lavoie (Halogen Software) for reporting CVE-2016-9589; and Gregory

Ramsperger and Ryan Moak for reporting CVE-2017-2670. The CVE-2016-5406

issue was discovered by Tomaz Cerar (Red Hat); the CVE-2016-8627 issue was

discovered by Darran Lofthouse (Red Hat) and Brian Stansberry (Red Hat);

the CVE-2017-2666 issue was discovered by Radim Hatlapatka (Red Hat); the

CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat); the

CVE-2017-7559 and CVE-2017-12165 issues were discovered by Stuart Douglas

(Red Hat); and the CVE-2017-12167 issue was discovered by Brian Stansberry

(Red Hat) and Jeremy Choi (Red Hat). Upstream acknowledges WildFly as the

original reporter of CVE-2016-6311.



4. Solution:



Before applying this update, back up your existing Red Hat JBoss Enterprise

Application Platform installation and deployed applications.



For details on how to apply this update, which includes the changes

described in this advisory, refer to:



https://access.redhat.com/articles/11258



5. Bugs fixed (https://bugzilla.redhat.com/):



1344321 - CVE-2016-4993 eap: HTTP header injection / response splitting

1359014 - CVE-2016-5406 EAP7 Privilege escalation when managing domain

including earlier version slaves

1362735 - CVE-2016-6311 (EAP7) Internal IP address disclosed on redirect when

request header Host field is not set

1376646 - CVE-2016-7046 undertow: Long URL proxy request lead to

java.nio.BufferOverflowException and DoS

1379207 - CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted

input vulnerability

1380852 - CVE-2016-7061 EAP: Sensitive data can be exposed at the server level

in domain mode

1388240 - CVE-2016-8627 Potential EAP resource starvation DOS attack via GET

requests for server log files

1400344 - CVE-2016-8656 jboss: jbossas: unsafe chown of server.log in jboss

init script allows privilege escalation

1404782 - CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited

to fill heap with garbage

1413028 - CVE-2017-2595 wildfly: Arbitrary file read via path traversal

1436163 - CVE-2017-2666 undertow: HTTP Request smuggling vulnerability due to

permitting invalid characters in HTTP requests

1438885 - CVE-2017-2670 undertow: IO thread DoS via unclean Websocket closing

1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via

readValue method of ObjectMapper

1465573 - CVE-2017-7536 hibernate-validator: Privilege escalation when running

under the security manager

1481665 - CVE-2017-7559 undertow: HTTP Request smuggling vulnerability

(incomplete fix of CVE-2017-2666)

1490301 - CVE-2017-12165 undertow: improper whitespace parsing leading to

potential HTTP request smuggling

1491612 - CVE-2017-12167 EAP-7: Wrong privileges on multiple property files



6. JIRA issues fixed (https://issues.jboss.org/):



JBEAP-5324 - jboss-ec2-eap for EAP 7.1.0



7. Package List:



Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server:



Source:

eap7-jboss-ec2-eap-7.1.0-5.GA_redhat_5.ep7.el6.src.rpm



noarch:

eap7-jboss-ec2-eap-7.1.0-5.GA_redhat_5.ep7.el6.noarch.rpm

eap7-jboss-ec2-eap-samples-7.1.0-5.GA_redhat_5.ep7.el6.noarch.rpm



Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Server:



Source:

eap7-jboss-ec2-eap-7.1.0-5.GA_redhat_5.ep7.el7.src.rpm



noarch:

eap7-jboss-ec2-eap-7.1.0-5.GA_redhat_5.ep7.el7.noarch.rpm

eap7-jboss-ec2-eap-samples-7.1.0-5.GA_redhat_5.ep7.el7.noarch.rpm



These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/



8. References:



https://access.redhat.com/security/cve/CVE-2016-4978

https://access.redhat.com/security/cve/CVE-2016-4993

https://access.redhat.com/security/cve/CVE-2016-5406

https://access.redhat.com/security/cve/CVE-2016-6311

https://access.redhat.com/security/cve/CVE-2016-7046

https://access.redhat.com/security/cve/CVE-2016-7061

https://access.redhat.com/security/cve/CVE-2016-8627

https://access.redhat.com/security/cve/CVE-2016-8656

https://access.redhat.com/security/cve/CVE-2016-9589

https://access.redhat.com/security/cve/CVE-2017-2595

https://access.redhat.com/security/cve/CVE-2017-2666

https://access.redhat.com/security/cve/CVE-2017-2670

https://access.redhat.com/security/cve/CVE-2017-7525

https://access.redhat.com/security/cve/CVE-2017-7536

https://access.redhat.com/security/cve/CVE-2017-7559

https://access.redhat.com/security/cve/CVE-2017-12165

https://access.redhat.com/security/cve/CVE-2017-12167

https://access.redhat.com/security/updates/classification/#important

https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/



9. Contact:



The Red Hat security contact is <secalert@redhat.com>. More contact

details at https://access.redhat.com/security/team/contact/



Copyright 2017 Red Hat, Inc.

