exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2022-0497-01

Red Hat Security Advisory 2022-0497-01
Posted Feb 10, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-0497-01 - Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database. This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE's referenced in this document by removing the affected classes from the patch. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.

tags | advisory, remote, local, vulnerability, code execution, sql injection
systems | linux, redhat
advisories | CVE-2019-17571, CVE-2020-9488, CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307
SHA-256 | 6c39fe299319c65184c9323080800c96f0b6e163fb623cde6dac60e579651689

Red Hat Security Advisory 2022-0497-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update
Advisory ID: RHSA-2022:0497-01
Product: Red Hat JBoss Data Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0497
Issue date: 2022-02-09
CVE Names: CVE-2019-17571 CVE-2020-9488 CVE-2021-4104
CVE-2022-23302 CVE-2022-23305 CVE-2022-23307
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Data Virtualization.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems - such as multiple databases, XML
files, and even Hadoop systems - appear as a set of tables in a local
database.

This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1
(Service Pack 1) serves as a replacement for Red Hat JBoss Data
Virtualization 6.4.8, and mitigates the impact of the log4j CVE's
referenced in this document by removing the affected classes from the
patch.

Note: customers should update their EAP 6.4 installation with the
corresponding security fixes that have been released for that (see
RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)

Security Fix(es):

* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)

* log4j: SQL injection in Log4j 1.x when application is configured to use
JDBCAppender (CVE-2022-23305)

* log4j: Unsafe deserialization flaw in Chainsaw log viewer
(CVE-2022-23307)

* log4j: Remote code execution in Log4j 1.x when application is configured
to use JMSAppender (CVE-2021-4104)

* log4j: Remote code execution in Log4j 1.x when application is configured
to use JMSSink (CVE-2022-23302)

* log4j: improper validation of certificate with host mismatch in SMTP
appender (CVE-2020-9488)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1785616 - CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer

5. References:

https://access.redhat.com/security/cve/CVE-2019-17571
https://access.redhat.com/security/cve/CVE-2020-9488
https://access.redhat.com/security/cve/CVE-2021-4104
https://access.redhat.com/security/cve/CVE-2022-23302
https://access.redhat.com/security/cve/CVE-2022-23305
https://access.redhat.com/security/cve/CVE-2022-23307
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYgQ8pdzjgjWX9erEAQhibxAApNNpCu1QEqL04k+P/5qAF72t/lJahuXm
2BrICnANDEbog4sSBpIvmIDA0E/uGZWYCtyhYw+bEYfOScIfhecEe4AwsAmkMBCE
qpGroP2Dv27f0w0fxUGuekLebKDVjmR5OqMmJTtkeMlLsH/jh05D6/A09afPhjqo
NgRkqP46DIQa34rpt5CVJDB06W/gavL+Yj1kfDKfQXQyiGQOjEebFGAznPvhmLIa
X0RA2NztJafpU2oI2MuEof6yVMHPf4eZjV7XJN98gbhr0HT+nkgqzIYTqR42CStw
szLLu+Smrwjp1w+lHqdKLta/v0ze4r+iI9bIWyuaoG2zlxj6xrQCbXTduzkONsAN
eAe6gevya9xRa3yQGdqTp4ajor06mMEP3EwQQEtlOcu8ZbglrAzF5ToLPf8CNnrU
HhSwHa2eNH6GmwpmUt7AfTzzixvm1nZW7+in8SIf4TaE2c8fI1s7hl/Mniuvz8r6
qsE/GyNCS17qRGJSUThZzW5hfhlsUP+v3g44CYpmWcKnOUIW8InUdK5WRkjJaWM8
bGnTVqREQaA1tIny9KeILUg+xFmqUM5U9ZeZ5VaQK97SBmc9JxhL2cMDldDj5wcI
TcXUL1f91+yCvSD9IcEvjbqBQcMsFXdP8hZc4xO7ZF9QzXeH2jDA9YZpXUg20XtE
XI5RNeExtTE=
=Xke9
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close