-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.20 security update Advisory ID: RHSA-2018:1447-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:1447 Issue date: 2018-05-14 CVE Names: CVE-2016-4978 CVE-2017-3163 CVE-2017-15095 CVE-2017-17485 CVE-2018-1304 CVE-2018-7489 CVE-2018-8088 ===================================================================== 1. Summary: Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.20, fixes several bugs, and adds various enhancements are now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.20 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.19, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) (CVE-2017-15095) * jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability (CVE-2016-4978) * solr: Directory traversal via Index Replication HTTP API (CVE-2017-3163) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-15095; 0c0c0f from 360eSSaea(r)eaa(r)$? for reporting CVE-2017-17485; and Chris McCown for reporting CVE-2018-8088. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1379207 - CVE-2016-4978 Apache ActiveMQ Artemis: Deserialization of untrusted input vulnerability 1454783 - CVE-2017-3163 solr: Directory traversal via Index Replication HTTP API 1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525) 1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) 1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution 1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries 5. References: https://access.redhat.com/security/cve/CVE-2016-4978 https://access.redhat.com/security/cve/CVE-2017-3163 https://access.redhat.com/security/cve/CVE-2017-15095 https://access.redhat.com/security/cve/CVE-2017-17485 https://access.redhat.com/security/cve/CVE-2018-1304 https://access.redhat.com/security/cve/CVE-2018-7489 https://access.redhat.com/security/cve/CVE-2018-8088 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=6.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWvsEmNzjgjWX9erEAQh+dA/9Hwoznus8lr2APaYfs/Rn73AdYsdnFXTw nHvBucWF67wteSmPCWjXQkqN+DYJ5UC38jEi0Vl0vRWtAYQ1kY6dTsocJgnSu6cF VgJR9ou2hVeca9zxLETJ1rV8i5fJ0v1MJHl712cwlHmP3b9xzL0sdkwfxHF0do81 naChrYdIU8lmxn5bHzxrCcVMJ1KBRPfXmY3hcq8FKcQRYESF9jbdNzM9J4xGt0xO IVJDhn9r/9FeOqDihLJLRqoieAojavJpVnPtJgwvImczfXztRT4uk7k6I+9a3U3a IO0LGVVBg4MEryBOTlhfA6+0y6D6japDJn1p9ZNEZINDcmUS25lmpMzMgJcSPXze Ms+OqM46fmg87U7jb4d5JgCQ1Oq7mbTUjqyTGBLCgYkpZDix4mD1pJScxhIile6w 3OZlGuKkx9iQisii5RFdifNHThLU7oDgAGAuJH0FEQNyjMLSWq/XYlWNuxUo3c5V li5s9HICrIq5T5w0N0qmZ51QnTAigkRBxjmotAz/u6YmT5+3ejsm5z+SFcO8aVwf qIWjiP/TXOOsmzaZx+C1Ocz2NUSfUpYKzD33GqhMXmfbBLoL5pjTzsC8D0CGKeXl g+8yzWwAYFL/U5c/LVoPj8Dc+DXogj7oa5sCSSZPBgubUB8v+JI+y7NQLWFQ1u53 EeN19iZXUZQ= =hr11 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce