what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2019-1797-01

Red Hat Security Advisory 2019-1797-01
Posted Jul 16, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-1797-01 - Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution and deserialization vulnerabilities.

tags | advisory, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2017-17485, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362
SHA-256 | 48ed6e1685f44f91f8d17d107b4e8cbd77921ca5a821642f761a77890d4c0a04

Red Hat Security Advisory 2019-1797-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss BPM Suite 6.4.12 security update
Advisory ID: RHSA-2019:1797-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1797
Issue date: 2019-07-16
CVE Names: CVE-2017-17485 CVE-2018-12022 CVE-2018-12023
CVE-2018-14718 CVE-2018-14719 CVE-2018-19360
CVE-2018-19361 CVE-2018-19362
====================================================================
1. Summary:

An update is now available for Red Hat JBoss BPM Suite.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.

This release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for
Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.

Security Fix(es):

* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)

* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in
jboss-common-core (CVE-2018-19362)

* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization of types from
Jodd-db library (CVE-2018-12022)

* jackson-databind: improper polymorphic deserialization of types from
Oracle JDBC driver (CVE-2018-12023)

* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-15095) (CVE-2017-17485)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library

5. References:

https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2018-12022
https://access.redhat.com/security/cve/CVE-2018-12023
https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhpam&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/6.4/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXS35rtzjgjWX9erEAQgvjhAAp+5Q4mWxjM69OaVgjG70qBoGcV1Dl+k2
U8HrlkS+WXB9/52LxlZUgKeTB8oyR48J6P4VJ7nYvPmGwgiWIUq3z1chPSVFdfXQ
vbKQ35Ho3QsD1T+POsU8CiVIVkm172ATXlmMbO6QWHjhMLE4PrG3u6QPJs2N0KCy
xSNfEVw39xb7wfwORSGeY5cklsXRCSsW74yce7rjojX8FxlNypc9+vYaOi13AkBJ
mIjqDy7bKKXxEgIagPYNQWOvllzFY+zgtsHuMqGVLYIPuV+BXAyM6dIUk53DyDPE
Dhan9ZWZcp2aHMt4kKfpnmqY7+JdY2wXOEFOtxi9HrKL9Q1s88O1tRt5Trvf26nt
Ly9W6LGWr2rhtRaxozUfHLP26OGCdwqDbLa4BEAj3xvaLWZsFcMMlKDhDLM6y/Bl
CMk4bOxutpMO0d/wWOC3iLQKnqZuh2j/8Q2vPhEfQDu0Ph9D9ceUQGMik/JaYYvM
tpW83kjJmP6UoU6X2as8XbrA37ExqrZoKUoX14lf9ftZLgPIrmsRhWpgbWtt/Ef/
de72LKGFbJBRR9wTCv9bFe9wUeI7RHsWcTqGVrZQ7srqCdLQQpkoG2REKMGoRtuB
rW8wWW2HzAK/4XnSweg7/1aTKy3yN/kixEBynFbZAW3p2TkVBzmSvdSUwCVkWZhV
GJV2g8cgeEw=T9v8
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close