-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 7.1.1 on RHEL 6 Advisory ID: RHSA-2018:0479-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:0479 Issue date: 2018-03-12 CVE Names: CVE-2017-7561 CVE-2017-12174 CVE-2017-12196 CVE-2017-15089 CVE-2017-15095 CVE-2017-17485 CVE-2018-1048 CVE-2018-5968 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * resteasy: Vary header not added by CORS filter leading to cache poisoning (CVE-2017-7561) * undertow: Client can use bogus uri in Digest authentication (CVE-2017-12196) * undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser (CVE-2018-1048) * jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1483823 - CVE-2017-7561 resteasy: Vary header not added by CORS filter leading to cache poisoning 1498378 - CVE-2017-12174 artemis/hornetq: memory exhaustion via UDP and JGroups discovery 1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication 1503610 - CVE-2017-15089 infinispan: Unsafe deserialization of malicious object injected into data cache 1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) 1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) 1534343 - CVE-2018-1048 undertow: ALLOW_ENCODED_SLASH option not taken into account in the AjpRequestParser 1538332 - CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485) 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-7531 - Tracker bug for the EAP 7.1.1 release for RHEL-6 7. Package List: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server: Source: eap7-activemq-artemis-1.5.5.009-1.redhat_1.1.ep7.el6.src.rpm eap7-apache-cxf-3.1.13-1.redhat_1.1.ep7.el6.src.rpm eap7-glassfish-jsf-2.2.13-6.SP5_redhat_1.1.ep7.el6.src.rpm eap7-hibernate-5.1.12-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-infinispan-8.2.9-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-ironjacamar-1.4.7-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jackson-annotations-2.8.11-1.redhat_1.1.ep7.el6.src.rpm eap7-jackson-core-2.8.11-1.redhat_1.1.ep7.el6.src.rpm eap7-jackson-databind-2.8.11-1.redhat_1.1.ep7.el6.src.rpm eap7-jackson-jaxrs-providers-2.8.11-1.redhat_1.1.ep7.el6.src.rpm eap7-jackson-module-jaxb-annotations-2.8.11-1.redhat_1.1.ep7.el6.src.rpm eap7-jackson-modules-java8-2.8.11-1.redhat_1.1.ep7.el6.src.rpm eap7-jboss-logmanager-2.0.8-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jboss-server-migration-1.0.3-6.Final_redhat_6.1.ep7.el6.src.rpm eap7-jbossws-cxf-5.1.10-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-narayana-5.5.31-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-picketlink-bindings-2.5.5-10.SP9_redhat_1.1.ep7.el6.src.rpm eap7-picketlink-federation-2.5.5-10.SP9_redhat_1.1.ep7.el6.src.rpm eap7-resteasy-3.0.25-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-undertow-1.4.18-4.SP2_redhat_1.1.ep7.el6.src.rpm eap7-undertow-jastow-2.0.3-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-7.1.1-4.GA_redhat_2.1.ep7.el6.src.rpm eap7-wildfly-elytron-1.1.8-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-http-client-1.0.9-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-javadocs-7.1.1-3.GA_redhat_2.1.ep7.el6.src.rpm eap7-wss4j-2.1.11-1.redhat_1.1.ep7.el6.src.rpm eap7-xml-security-2.0.9-1.redhat_1.1.ep7.el6.src.rpm noarch: eap7-activemq-artemis-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-cli-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-commons-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-core-client-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-dto-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-hornetq-protocol-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-hqclient-protocol-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-jdbc-store-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-jms-client-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-jms-server-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-journal-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-native-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-ra-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-selector-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-server-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-activemq-artemis-service-extensions-1.5.5.009-1.redhat_1.1.ep7.el6.noarch.rpm eap7-apache-cxf-3.1.13-1.redhat_1.1.ep7.el6.noarch.rpm eap7-apache-cxf-rt-3.1.13-1.redhat_1.1.ep7.el6.noarch.rpm eap7-apache-cxf-services-3.1.13-1.redhat_1.1.ep7.el6.noarch.rpm eap7-apache-cxf-tools-3.1.13-1.redhat_1.1.ep7.el6.noarch.rpm eap7-glassfish-jsf-2.2.13-6.SP5_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-5.1.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-core-5.1.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-entitymanager-5.1.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-envers-5.1.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-infinispan-5.1.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-hibernate-java8-5.1.12-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-8.2.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-cachestore-jdbc-8.2.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-cachestore-remote-8.2.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-client-hotrod-8.2.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-commons-8.2.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-infinispan-core-8.2.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-common-api-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-common-impl-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-common-spi-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-core-api-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-core-impl-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-deployers-common-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-jdbc-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-ironjacamar-validator-1.4.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-annotations-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-core-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-databind-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-datatype-jdk8-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-datatype-jsr310-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-jaxrs-base-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-jaxrs-json-provider-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-module-jaxb-annotations-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jackson-modules-java8-2.8.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-jboss-logmanager-2.0.8-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-cli-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-core-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-eap6.4-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly10.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly10.1-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.0-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.1-1.0.3-6.Final_redhat_6.1.ep7.el6.noarch.rpm eap7-jbossws-cxf-5.1.10-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-compensations-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jbosstxbridge-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jbossxts-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jts-idlj-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-jts-integration-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-api-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-bridge-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-integration-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-restat-util-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-narayana-txframework-5.5.31-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-api-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-bindings-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-common-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-config-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-federation-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-idm-api-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-idm-impl-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-impl-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-picketlink-wildfly8-2.5.5-10.SP9_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-atom-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-cdi-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-client-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-crypto-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jackson-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jackson2-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jaxb-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jaxrs-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jettison-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jose-jwt-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-jsapi-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-json-p-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-multipart-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-spring-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-validator-provider-11-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-resteasy-yaml-provider-3.0.25-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-undertow-1.4.18-4.SP2_redhat_1.1.ep7.el6.noarch.rpm eap7-undertow-jastow-2.0.3-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-7.1.1-4.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-wildfly-elytron-1.1.8-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-http-client-common-1.0.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-http-ejb-client-1.0.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-http-naming-client-1.0.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-http-transaction-client-1.0.9-1.Final_redhat_1.1.ep7.el6.noarch.rpm eap7-wildfly-javadocs-7.1.1-3.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-wildfly-modules-7.1.1-4.GA_redhat_2.1.ep7.el6.noarch.rpm eap7-wss4j-2.1.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-wss4j-bindings-2.1.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-wss4j-policy-2.1.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-wss4j-ws-security-common-2.1.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-wss4j-ws-security-dom-2.1.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-wss4j-ws-security-policy-stax-2.1.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-wss4j-ws-security-stax-2.1.11-1.redhat_1.1.ep7.el6.noarch.rpm eap7-xml-security-2.0.9-1.redhat_1.1.ep7.el6.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2017-7561 https://access.redhat.com/security/cve/CVE-2017-12174 https://access.redhat.com/security/cve/CVE-2017-12196 https://access.redhat.com/security/cve/CVE-2017-15089 https://access.redhat.com/security/cve/CVE-2017-15095 https://access.redhat.com/security/cve/CVE-2017-17485 https://access.redhat.com/security/cve/CVE-2018-1048 https://access.redhat.com/security/cve/CVE-2018-5968 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaprMjXlSAg2UNWIIRAt5bAKCKTiJTmLk0X7z7BN6remNUzGavdgCgjWla QdVO1KCpoGfk57AqICtTC8w= =v6UZ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce