-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update
Advisory ID:       RHSA-2022:0507-01
Product:           Red Hat JBoss Data Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:0507
Issue date:        2022-02-10
CVE Names:         CVE-2019-17571 CVE-2020-9488 CVE-2021-4104 
                   CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Data Virtualization.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems - such as multiple databases, XML
files, and even Hadoop systems - appear as a set of tables in a local
database.

This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2
(Service Pack 2) serves as a replacement for Red Hat JBoss Data
Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and
mitigates the impact of the log4j CVE's referenced in this document by
removing the affected classes from the patch.

Note: customers should update their EAP 6.4 installation with the
corresponding security fixes that have been released for that (see
RHSA-2022:0437 and https://access.redhat.com/site/solutions/625683)

Security Fix(es):

* log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)

* log4j: SQL injection in Log4j 1.x when application is configured to use
JDBCAppender (CVE-2022-23305)

* log4j: Unsafe deserialization flaw in Chainsaw log viewer
(CVE-2022-23307)

* log4j: Remote code execution in Log4j 1.x when application is configured
to use JMSAppender (CVE-2021-4104)

* log4j: Remote code execution in Log4j 1.x when application is configured
to use JMSSink (CVE-2022-23302)

* log4j: improper validation of certificate with host mismatch in SMTP
appender (CVE-2020-9488)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1785616 - CVE-2019-17571 log4j: deserialization of untrusted data in SocketServer
1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer

5. References:

https://access.redhat.com/security/cve/CVE-2019-17571
https://access.redhat.com/security/cve/CVE-2020-9488
https://access.redhat.com/security/cve/CVE-2021-4104
https://access.redhat.com/security/cve/CVE-2022-23302
https://access.redhat.com/security/cve/CVE-2022-23305
https://access.redhat.com/security/cve/CVE-2022-23307
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYgWUZdzjgjWX9erEAQhlDBAAoUdT6IqJD+6adDf223s3N22R5fn/A/4u
pmHBgn5zUk/6olY5bZVa++COw2bGMY1cXk9zGTsUELRpyDALH0HsSfFSVFfDEcTW
O8MvQ47T+fBr8sm6fbEyCTCwu62klookjoiKZjpEh6AtUwoqnrJzClSdWQx4N35B
1c4RqA53WCPLMLCgg3Afqng+Hl7XmRMfBFix7G8daQph1wo8406A2XXkRHEPFv15
PQApV6aaPl1+0tnU4z2/xnChCuLMUUdg+SPFNP+ZgQbZdhN3ZDXpjvnpik+ebT0e
xUZBz5cICQRKhGT0LlALjyINdrYWvvEEQJig1vx+8kEuJxrG2YKUvvq9rki5aCza
rz4SU9YPS0Jo5x8cH3R/0UPYItbHTJz+LKD1J58CUz2aLQTZN3YkB7vnk6/QHfdk
toIy4L/jmUzvN7eJQUepKSgdRqLHPrIqgDmoPYt3emCn3D7t84KdywFodQrBag+P
lrwGJvW6VfcJidyf0lBRFpviZ6ZL+/pCaa4o20cor62qyXIFaynFne56IkeEpxp7
1EkcMUld5QFy//r1a6sLfqug5RpCr0fP1FoD6AcVJZBIFa1UMP5RVEgyOqkVqrU8
F3FmFAKjYxUAZxrtQDvufcq4EGh9fCE37uiJa9TmxTt9ZgjI4OchcNJ3C7MJHUiM
6GvHrpKQA+w=
=tKOy
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce