Mehrere Probleme in JBoss
ID: | RHSA-2018:1451-01 |
Distribution: | Red Hat |
Plattformen: | Red Hat JBoss Enterprise Application Platform |
Datum: | Di, 15. Mai 2018, 19:09 |
Referenzen: | https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2017-3163 https://access.redhat.com/security/cve/CVE-2017-15095 https://access.redhat.com/security/cve/CVE-2018-7489 https://access.redhat.com/security/cve/CVE-2016-4978 https://access.redhat.com/security/cve/CVE-2018-1304 https://access.redhat.com/security/cve/CVE-2018-8088 |
Applikationen: | JBoss |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: eap6-jboss-ec2-eap security update Advisory ID: RHSA-2018:1451-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:1451 Issue date: 2018-05-14 CVE Names: CVE-2016-4978 CVE-2017-3163 CVE-2017-15095 CVE-2017-17485 CVE-2018-1304 CVE-2018-7489 CVE-2018-8088 ===================================================================== 1. Summary: An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch 3. Description: The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.19. Security Fix(es): * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360观星实验室 for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1379207 - CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability 1454783 - CVE-2017-3163 solr: Directory traversal via Index Replication HTTP API 1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) 1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) 1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution 1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server: Source: jboss-ec2-eap-7.5.20-1.Final_redhat_1.ep6.el6.src.rpm noarch: jboss-ec2-eap-7.5.20-1.Final_redhat_1.ep6.el6.noarch.rpm jboss-ec2-eap-samples-7.5.20-1.Final_redhat_1.ep6.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-4978 https://access.redhat.com/security/cve/CVE-2017-3163 https://access.redhat.com/security/cve/CVE-2017-15095 https://access.redhat.com/security/cve/CVE-2017-17485 https://access.redhat.com/security/cve/CVE-2018-1304 https://access.redhat.com/security/cve/CVE-2018-7489 https://access.redhat.com/security/cve/CVE-2018-8088 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=6.4 8. Contact: The Red Hat security contact is |