what you don't know can hurt you

Red Hat Security Advisory 2019-1797-01

Red Hat Security Advisory 2019-1797-01
Posted Jul 16, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-1797-01 - Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution and deserialization vulnerabilities.

tags | advisory, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2017-17485, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362
MD5 | 38682b36915cf05dcfcb491c3edfc161

Red Hat Security Advisory 2019-1797-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss BPM Suite 6.4.12 security update
Advisory ID: RHSA-2019:1797-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1797
Issue date: 2019-07-16
CVE Names: CVE-2017-17485 CVE-2018-12022 CVE-2018-12023
CVE-2018-14718 CVE-2018-14719 CVE-2018-19360
CVE-2018-19361 CVE-2018-19362
====================================================================
1. Summary:

An update is now available for Red Hat JBoss BPM Suite.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.

This release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for
Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.

Security Fix(es):

* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)

* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in
jboss-common-core (CVE-2018-19362)

* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization of types from
Jodd-db library (CVE-2018-12022)

* jackson-databind: improper polymorphic deserialization of types from
Oracle JDBC driver (CVE-2018-12023)

* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-15095) (CVE-2017-17485)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library

5. References:

https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2018-12022
https://access.redhat.com/security/cve/CVE-2018-12023
https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhpam&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/6.4/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXS35rtzjgjWX9erEAQgvjhAAp+5Q4mWxjM69OaVgjG70qBoGcV1Dl+k2
U8HrlkS+WXB9/52LxlZUgKeTB8oyR48J6P4VJ7nYvPmGwgiWIUq3z1chPSVFdfXQ
vbKQ35Ho3QsD1T+POsU8CiVIVkm172ATXlmMbO6QWHjhMLE4PrG3u6QPJs2N0KCy
xSNfEVw39xb7wfwORSGeY5cklsXRCSsW74yce7rjojX8FxlNypc9+vYaOi13AkBJ
mIjqDy7bKKXxEgIagPYNQWOvllzFY+zgtsHuMqGVLYIPuV+BXAyM6dIUk53DyDPE
Dhan9ZWZcp2aHMt4kKfpnmqY7+JdY2wXOEFOtxi9HrKL9Q1s88O1tRt5Trvf26nt
Ly9W6LGWr2rhtRaxozUfHLP26OGCdwqDbLa4BEAj3xvaLWZsFcMMlKDhDLM6y/Bl
CMk4bOxutpMO0d/wWOC3iLQKnqZuh2j/8Q2vPhEfQDu0Ph9D9ceUQGMik/JaYYvM
tpW83kjJmP6UoU6X2as8XbrA37ExqrZoKUoX14lf9ftZLgPIrmsRhWpgbWtt/Ef/
de72LKGFbJBRR9wTCv9bFe9wUeI7RHsWcTqGVrZQ7srqCdLQQpkoG2REKMGoRtuB
rW8wWW2HzAK/4XnSweg7/1aTKy3yN/kixEBynFbZAW3p2TkVBzmSvdSUwCVkWZhV
GJV2g8cgeEw=T9v8
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    10 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close