Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in Red Hat JBoss Enterprise Application Platform
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Red Hat JBoss Enterprise Application Platform
ID: RHSA-2018:2743-01
Distribution: Red Hat
Plattformen: Red Hat JBoss Enterprise Application Platform
Datum: Di, 25. September 2018, 07:40
Referenzen: https://access.redhat.com/security/cve/CVE-2017-7536
https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-10237
Applikationen: Red Hat JBoss Enterprise Application Platform

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform
6.4.21 security update
Advisory ID: RHSA-2018:2743-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2743
Issue date: 2018-09-24
CVE Names: CVE-2017-2582 CVE-2017-7536 CVE-2018-1336
CVE-2018-10237
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 6.4 for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

This release of Red Hat JBoss Enterprise Application Platform 6.4.21 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.20,
and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* hibernate-validator: Privilege escalation when running under the security
manager (CVE-2017-7536)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* picketlink: The fix for CVE-2017-2582 breaks the feature of attribute
replacement with system property in picketlink.xml (CVE-2017-2582)

* jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS
(CVE-2018-1336)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the
CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1261190 - [GSS](6.4.z) Upgrade jboss-ejb-client from 1.0.40 to 1.0.41
1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces
special strings with system properties
1465573 - CVE-2017-7536 hibernate-validator: Privilege escalation when running
under the security manager
1570200 - [GSS](6.4.z) Upgrade JBoss Modules from 1.3.10 to 1.3.11
1573391 - CVE-2018-10237 guava: Unbounded memory allocation in
AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
1578830 - (6.4.z) Upgrade hibernate-validator from 4.3.3 to 4.3.4
1580440 - [GSS](6.4.z) Upgrade xnio from 3.0.16 to 3.0.17
1594389 - [GSS](6.4.z) The fix for CVE-2017-2582 breaks the feature of
attribute replacement with system property in picketlink.xml
1602226 - [GSS](6.4.z) Upgrade xerces from 2.9.1.redhat-6 to 2.9.1.redhat-8
1606334 - [GSS](6.4.z) Upgrade JBoss VFS from 3.2.12 to 3.2.13
1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
1610355 - [GSS](6.4.z) Upgrade HornetQ from 2.3.25.SP24 to 2.3.25.SP28
1610742 - [GSS](6.4.z) Upgrade JBoss Web from 7.5.28 to 7.5.29
1611770 - [GSS](6.4.z) Upgrade Ironjacamar from 1.0.41 to 1.0.42
1614448 - [GSS](6.4.z) Upgrade Jackson from 1.9.9.redhat-6 to 1.9.9.redhat-7
1615347 - [GSS](6.4.z) Upgrade PicketLink from 2.5.4.SP18-redhat-1 to
2.5.4.SP18-redhat-2
1615380 - [GSS](6.4.z) Upgrade Guava from 13.0.1.redhat-2 to 13.0.1.redhat-3

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server:

Source:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el6.src.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el6.src.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el6.src.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el6.src.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el6.src.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el6.src.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el6.src.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el6.src.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.src.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el6.src.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el6.src.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el6.src.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el6.src.rpm

noarch:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-core-asl-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-jaxrs-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-mapper-asl-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
codehaus-jackson-xc-1.9.9-14.redhat_7.1.ep6.el6.noarch.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el6.noarch.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el6.noarch.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el6.noarch.rpm
ironjacamar-core-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el6.noarch.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el6.noarch.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el6.noarch.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el6.noarch.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el6.noarch.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el6.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/cve/CVE-2017-7536
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW6lht9zjgjWX9erEAQj1KRAAo3GwlHYZtEgH69JknBOF6S2Wmfh/onUt
QJywsaAGnd3jB+awxpAH8ADPy3Cc7khaUymN0D1/o6B7/sGiHl6+TgjNhMdFRJJz
Snfnvc3ChZfIpKnyfCCopbx6Z55yJdMzjvAHrMGhlWWlmiar8pEI24L7O5DX7Zpe
hwP9d37YpYIqEqT9AODOQs9jpK7GdV4io6kbKmzK6Cy0qzk13S3kS3vsqaswB3Cd
TyO13QfIOZPVnjPhNvrj8IMQBAxlBTnDbb3jhUIJIuJfz/+uoB56L67ICI/s2cGB
qgHhmDaY2Jf5sirKgs66omihSm8bLdikCvo1qH/E2gPR0vEbA0haDOlljK8f/Oz0
zJQtakYUl03GnORrzXFYFIZ8IiVgZuqKEmsYR+leelZ1ZNA7pQGUZG2O7MPRPjq+
EpJMrymWhrkeqhzROVRGM0AGCgOaa7KNArXgObgj14kHkkAXLlCBI0BYc71aAQc+
h8f2zyaG20NNkQ5q37eMRHKLD7cUvAjovULiiJueip0RA1MPAIuLluWMHRzAqsor
57wze4uUM9uQAl//3O6rpcZS0m8nvu01ByB985QFVW82mxbDmJV9UT3PDucc0QUQ
pqjQtT/n141rFaUworha1iTAEtIGTUNiQHMiMIsnGl45TCV9yxlXI2Nu0EGR9NEz
lZvwOxCPuPk=
=kys3
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Pro-Linux
Unterstützer werden
Neue Nachrichten
Werbung