-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 7.2.0 security update
Advisory ID:       RHSA-2019:0139-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0139
Issue date:        2019-01-22
CVE Names:         CVE-2017-2582
====================================================================
1. Summary:

Red Hat JBoss Enterprise Application Platform 7.2.0 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

This release serves as a replacement for Red Hat JBoss Enterprise
Application Platform 7.1, and includes bug fixes and enhancements. Refer to
the Red Hat JBoss Enterprise Application Platform 7.2.0 Release Notes for
information on the most significant bug fixes and enhancements included in
this release.

Security Fix(es):

* picketlink: SAML request parser replaces special strings with system
properties (CVE-2017-2582)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat).

3. Solution:

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

The References section of this erratum contains a download link (you must
log in to download the update).

The JBoss server process must be restarted for the update to take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties

5. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-12932 - Upgrade WildFly Core to 4.0.1.Final
JBEAP-13189 - Upgrade Generic JMS RA 2.0.1.Final
JBEAP-13658 - Upgrade JGroups to 3.6.15.Final
JBEAP-13867 - [Artemis upgrade] Transformer interface was changed
JBEAP-13895 - [GSS](7.2.0) Upgrade picketlink from 2.5.5.SP8 to 2.5.5.SP9
JBEAP-14222 - (EL12) Upgrade Infinispan to 9.1.6.Final to 9.1.7.Final
JBEAP-14239 - (EL12) Upgrade Artemis to 1.5.5.009-redhat-1
JBEAP-14386 - (7.2.0.EO12) Upgrade slf4j from 1.7.22.redhat-1 to 1.7.22.redhat-2
JBEAP-14415 - Upgrade WildFly Core to 4.0.1.Final-redhat-1
JBEAP-14421 - Upgrade WildFly Elytron Tool to 1.1.4.Final
JBEAP-14422 - Upgrade WildFly Elytron to 1.2.4.Final
JBEAP-14427 - Upgrade Undertow to 2.0.0.SP1
JBEAP-14504 - Upgrade WildFly HTTP client 1.0.12.Final
JBEAP-14581 - (CD12) Upgrade FasterXML Jackson from 2.9.4.redhat-1 to 2.9.5.redhat-1
JBEAP-14811 - 7.2 - Migration Guide: Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in PicketLinkSTS
JBEAP-14852 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (core)
JBEAP-14853 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (full)
JBEAP-14854 - [7.2] Migration Guide: document upgrade from Hibernate ORM 5.1 to 5.3
JBEAP-14881 - Upgrade PicketBox to 5.0.3.Final
JBEAP-15030 - [CD14] Clarify wording on EJB timers before upgrade/migration
JBEAP-15044 - Upgrade to Apache CXF from 3.2.4 to 3.2.5
JBEAP-15046 - Upgrade to Apache CXF 3.2.5
JBEAP-15069 - Installer: Upgrade IzPack aesh-readline to 1.10
JBEAP-15123 - Upgrade PicketBox to 5.0.3.Final-redhat-2 from 5.0.3.Final-redhat-1
JBEAP-15334 - Upgrade Infinispan to 9.3.3.Final
JBEAP-15347 - (7.2.0) Upgrade jastow to 2.0.6.Final
JBEAP-15351 - (7.2.0) Upgrade PicketBox from 5.0.3.Final to 5.0.3.Final-redhat-3
JBEAP-15352 - (7.2.0) Upgrade PicketLink from 2.5.5.SP12 to 2.5.5.SP12-redhat-2
JBEAP-15353 - (7.2.0) Upgrade PicketLink bindings from 2.5.5.SP12 to 2.5.5.SP12-redhat-2
JBEAP-15421 - Upgrade MSC to 1.4.5.Final
JBEAP-15431 - Upgrade WildFly Elytron to 1.6.1.Final
JBEAP-15446 - Upgrade JGroups to 4.0.15.Final
JBEAP-15453 - [PROD](CD14) Upgrade to wildfly-openssl from 1.0.6.Final-redhat-1 to 1.0.6.Final-redhat-2
JBEAP-15494 - (7.2.0) (picketlink) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml
JBEAP-15499 - (7.2.0) (picketlink-bindings) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml
JBEAP-15507 - Upgrade to core 6.0.7.Final
JBEAP-15542 - Upgrade Jboss Metadata to 12.0.0.Final
JBEAP-15600 - Upgrade jboss-logmanager from 2.1.4.Final to 2.1.5.Final
JBEAP-15612 - Upgrade to Galleon and WildFly Galleon Plugins 2.0.1.Final
JBEAP-15614 - Upgrade Core EAP to Galleon and WildFly Galleon Plugins 2.0.1.Final
JBEAP-15625 - Upgrade smallrye-config 1.3.4
JBEAP-15628 - [GSS](7.2.0) Upgrade jboss-ejb-client from 4.0.11 to 4.0.12
JBEAP-15656 - Upgrade JBossWS to 5.2.4.Final
JBEAP-15657 - Upgrade RESTEasy to 3.6.1.SP2
JBEAP-15661 - (7.2.0)  Upgrade Hibernate ORM from 5.3.6 to 5.3.7
JBEAP-15666 - (7.2.0) Upgrade HAL to 3.0.7.Final
JBEAP-15720 - Upgrade Artemis to  2.6.3.redhat-00008
JBEAP-15731 - Upgrade to WildFly Galleon Plugins 2.0.2.Final and properly configure plugin dependencies
JBEAP-15740 - Upgrade to WildFly Core 6.0.11.Final
JBEAP-15756 - Upgrade Artemis to  2.6.3.redhat-00012
JBEAP-16031 - Tracker bug for the EAP 7.2.0 text only release

6. References:

https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions&version=7.2
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=7.2
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXEdGNdzjgjWX9erEAQj+qA/7BdJcfZT2m93wdmus7DtjZb1RmhacOLvM
wGSnb6KtfsdMsBjhPpLGXw8IuZu74d1V9w/wWbemYhOgt5/UrZHyRlX0WdyWduJe
/PTydi9gK4zGy6srltukWarg/HkadBnMl/6x2e82AeF6qqXrjy9TSEczDQzcyhPy
v5iN0wligv+yIlfJksEHPdEzxMaifo/cEolBhhWwwohJlfMjPpEHDKmb9NM+Bmxj
mcDTT1ayG8eA4GApZfNpMRKz1Ip2pCnP9y7wOl/sty0NX1MzDF8+z2tRt0QlObIn
g8AH4Q/Gk/WkGNy5jfoPtc29VGFuU5I569IgpCe7n37VJJPBEz2Pt6UYktGDgqS2
hwXiZetTBRQSkRZDg7zvWKZlwz8zlZYGnIc9rPFDiHmJEeN9jWVK/jIpTGPvSDbU
jEXMx92e0JW/gWTutbrgGeqKu3TfwdJzf7ZG1xa2jQ048J3afgomrq0GXqlraiGl
45qXX35jYkiRklCgPKkHPsw1lS75rcdaB1IhOw3/yC80npAPmZDDndD8/IgjXM75
g2lQpd7RnEj194zsHL1tYbW2h+FWrLsCcbLhstz1b4AWv3OvhWU5b5R7EC8fwMxq
47cYrBC3NBJsgY2vP0puxddqWJX02NLelVFhpiwDDkIPoRys/yqf+Fm3EC9+LUxO
weniG1aKFU0=Y0Ut
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce