Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in Red Hat JBoss Enterprise Application Platform
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in Red Hat JBoss Enterprise Application Platform
ID: RHSA-2025:1746
Distribution: Red Hat
Plattformen: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server
Datum: Mo, 24. Februar 2025, 22:43
Referenzen: https://bugzilla.redhat.com/show_bug.cgi?id=1816337
https://access.redhat.com/security/cve/CVE-2021-45046
https://issues.redhat.com/browse/JBEAP-28817
https://access.redhat.com/security/cve/CVE-2020-10672
https://bugzilla.redhat.com/show_bug.cgi?id=2155681
https://access.redhat.com/security/cve/CVE-2021-44228
https://bugzilla.redhat.com/show_bug.cgi?id=2135244
https://bugzilla.redhat.com/show_bug.cgi?id=1816340
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2020-9546
https://access.redhat.com/security/cve/CVE-2022-41881
https://access.redhat.com/security/cve/CVE-2022-45693
https://bugzilla.redhat.com/show_bug.cgi?id=1816332
https://bugzilla.redhat.com/show_bug.cgi?id=2155970
https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1
https://bugzilla.redhat.com/show_bug.cgi?id=1815495
https://bugzilla.redhat.com/show_bug.cgi?id=2135247
https://issues.redhat.com/browse/JBEAP-28583
https://access.redhat.com/security/cve/CVE-2021-3717
https://bugzilla.redhat.com/show_bug.cgi?id=2032580
https://access.redhat.com/security/cve/CVE-2022-1471
https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index
https://access.redhat.com/security/cve/CVE-2020-9548
https://access.redhat.com/errata/RHSA-2025:1746
https://bugzilla.redhat.com/show_bug.cgi?id=1815470
https://access.redhat.com/security/cve/CVE-2020-10673
https://access.redhat.com/security/cve/CVE-2022-42889
https://bugzilla.redhat.com/show_bug.cgi?id=2150009
https://bugzilla.redhat.com/show_bug.cgi?id=2153379
https://access.redhat.com/security/cve/CVE-2020-8840
https://bugzilla.redhat.com/show_bug.cgi?id=2145194
https://bugzilla.redhat.com/show_bug.cgi?id=2030932
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2022-42003
https://bugzilla.redhat.com/show_bug.cgi?id=1991305
https://access.redhat.com/security/cve/CVE-2022-42004
https://bugzilla.redhat.com/show_bug.cgi?id=1937440
https://bugzilla.redhat.com/show_bug.cgi?id=2135435
https://access.redhat.com/security/cve/CVE-2020-13936
https://access.redhat.com/security/cve/CVE-2020-9547
https://bugzilla.redhat.com/show_bug.cgi?id=1816330
Applikationen: Red Hat JBoss Enterprise Application Platform

Originalnachricht

 
A security update is now available for Red Hat JBoss Enterprise Application
 Platform 7.1 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of
 Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
 applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [eap-7.1.z]
 (CVE-2022-41881)

* velocity: arbitrary code execution when attacker is able to modify templates
 [eap-7.1.z] (CVE-2020-13936)

* jackson-databind: mishandles the interaction between serialization gadgets
 and typing which could result in remote command execution [eap-7.1.z] (CVE-2020-10673)

* jackson-databind: Serialization gadgets in anteros-core [eap-7.1.z]
 (CVE-2020-9548)

* jackson-databind: mishandles the interaction between serialization gadgets
 and typing which could result in remote command execution [eap-7.1.z] (CVE-2020-10672)

* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving
 access to all the local users [eap-7.1.z] (CVE-2021-3717)

* jackson-databind: Serialization gadgets in ibatis-sqlmap [eap-7.1.z]
 (CVE-2020-9547)

* log4j-core: DoS in log4j 2.x with thread context message pattern and context
 lookup pattern (incomplete fix for CVE-2021-44228) [eap-7.1.z] (CVE-2021-45046)

* log4j-core: Remote code execution in Log4j 2.x when logs contain an
 attacker-controlled string value [eap-7.1.z] (CVE-2021-44228)

* jackson-databind: Serialization gadgets in shaded-hikari-config [eap-7.1.z]
 (CVE-2020-9546)

* CXF: Apache CXF: directory listing / code exfiltration [eap-7.1.z]
 (CVE-2022-46363)

* sshd-common: mina-sshd: Java unsafe deserialization vulnerability [eap-7.1.z]
 (CVE-2022-45047)

* jettison:  If the value in map is the map's self, the new new
 JSONObject(map) cause StackOverflowError which may lead to dos [eap-7.1.z] (CVE-2022-45693)

* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
 [eap-7.1.z] (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays [eap-7.1.z] (CVE-2022-42004)

* jackson-databind: Lacks certain xbean-reflect/JNDI blocking [eap-7.1.z]
 (CVE-2020-8840)

* snakeyaml: Constructor Deserialization Remote Code Execution [eap-7.1.z]
 (CVE-2022-1471)

* commons-text: apache-commons-text: variable interpolation RCE [eap-7.1.z]
 (CVE-2022-42889)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
 listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2020-8840: Deserialization of Untrusted Data (CWE-502)
CVE-2020-9546: Deserialization of Untrusted Data (CWE-502)
CVE-2020-9547: Deserialization of Untrusted Data (CWE-502)
CVE-2020-9548: Deserialization of Untrusted Data (CWE-502)
CVE-2020-10672: Improper Neutralization of Directives in Statically Saved Code
 ('Static Code Injection') (CWE-96)
CVE-2020-10673: Improper Neutralization of Directives in Statically Saved Code
 ('Static Code Injection') (CWE-96)
CVE-2020-13936: Improper Control of Generation of Code ('Code
 Injection') (CWE-94)
CVE-2021-3717: Files or Directories Accessible to External Parties (CWE-552)
CVE-2021-44228: Improper Input Validation (CWE-20)
CVE-2021-45046: Uncontrolled Resource Consumption (CWE-400)
CVE-2022-1471: Deserialization of Untrusted Data (CWE-502)
CVE-2022-41881: Uncontrolled Recursion (CWE-674)
CVE-2022-42003: Deserialization of Untrusted Data (CWE-502)
CVE-2022-42004: Deserialization of Untrusted Data (CWE-502)
CVE-2022-42889: Initialization of a Resource with an Insecure Default
 (CWE-1188)
CVE-2022-45047: Deserialization of Untrusted Data (CWE-502)
CVE-2022-45693: Out-of-bounds Write (CWE-787)
CVE-2022-46363: Improper Input Validation (CWE-20)
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung