Red Hat Security Advisory 2022-0497-01 - Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database. This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1 serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8, and mitigates the impact of the log4j CVE's referenced in this document by removing the affected classes from the patch. Issues addressed include code execution, deserialization, and remote SQL injection vulnerabilities.
6c39fe299319c65184c9323080800c96f0b6e163fb623cde6dac60e579651689
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Data Virtualization 6.4.8.SP1 security update
Advisory ID: RHSA-2022:0497-01
Product: Red Hat JBoss Data Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0497
Issue date: 2022-02-09
CVE Names: CVE-2019-17571 CVE-2020-9488 CVE-2021-4104
CVE-2022-23302 CVE-2022-23305 CVE-2022-23307
=====================================================================
1. Summary:
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems - such as multiple databases, XML
files, and even Hadoop systems - appear as a set of tables in a local
database.
This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP1
(Service Pack 1) serves as a replacement for Red Hat JBoss Data
Virtualization 6.4.8, and mitigates the impact of the log4j CVE's
referenced in this document by removing the affected classes from the
patch.
Note: customers should update their EAP 6.4 installation with the
corresponding security fixes that have been released for that (see
RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)
Security Fix(es):
* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)
* log4j: SQL injection in Log4j 1.x when application is configured to use
JDBCAppender (CVE-2022-23305)
* log4j: Unsafe deserialization flaw in Chainsaw log viewer
(CVE-2022-23307)
* log4j: Remote code execution in Log4j 1.x when application is configured
to use JMSAppender (CVE-2021-4104)
* log4j: Remote code execution in Log4j 1.x when application is configured
to use JMSSink (CVE-2022-23302)
* log4j: improper validation of certificate with host mismatch in SMTP
appender (CVE-2020-9488)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1785616 - CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
5. References:
https://access.redhat.com/security/cve/CVE-2019-17571
https://access.redhat.com/security/cve/CVE-2020-9488
https://access.redhat.com/security/cve/CVE-2021-4104
https://access.redhat.com/security/cve/CVE-2022-23302
https://access.redhat.com/security/cve/CVE-2022-23305
https://access.redhat.com/security/cve/CVE-2022-23307
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYgQ8pdzjgjWX9erEAQhibxAApNNpCu1QEqL04k+P/5qAF72t/lJahuXm
2BrICnANDEbog4sSBpIvmIDA0E/uGZWYCtyhYw+bEYfOScIfhecEe4AwsAmkMBCE
qpGroP2Dv27f0w0fxUGuekLebKDVjmR5OqMmJTtkeMlLsH/jh05D6/A09afPhjqo
NgRkqP46DIQa34rpt5CVJDB06W/gavL+Yj1kfDKfQXQyiGQOjEebFGAznPvhmLIa
X0RA2NztJafpU2oI2MuEof6yVMHPf4eZjV7XJN98gbhr0HT+nkgqzIYTqR42CStw
szLLu+Smrwjp1w+lHqdKLta/v0ze4r+iI9bIWyuaoG2zlxj6xrQCbXTduzkONsAN
eAe6gevya9xRa3yQGdqTp4ajor06mMEP3EwQQEtlOcu8ZbglrAzF5ToLPf8CNnrU
HhSwHa2eNH6GmwpmUt7AfTzzixvm1nZW7+in8SIf4TaE2c8fI1s7hl/Mniuvz8r6
qsE/GyNCS17qRGJSUThZzW5hfhlsUP+v3g44CYpmWcKnOUIW8InUdK5WRkjJaWM8
bGnTVqREQaA1tIny9KeILUg+xFmqUM5U9ZeZ5VaQK97SBmc9JxhL2cMDldDj5wcI
TcXUL1f91+yCvSD9IcEvjbqBQcMsFXdP8hZc4xO7ZF9QzXeH2jDA9YZpXUg20XtE
XI5RNeExtTE=
=Xke9
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce