-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update Advisory ID: RHSA-2018:2742-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2018:2742 Issue date: 2018-09-24 CVE Names: CVE-2017-2582 CVE-2017-7536 CVE-2018-1336 CVE-2018-10237 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.21 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.20, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536) * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * picketlink: The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml (CVE-2017-2582) * jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat). 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1261190 - [GSS](6.4.z) Upgrade jboss-ejb-client from 1.0.40 to 1.0.41 1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties 1465573 - CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager 1570200 - [GSS](6.4.z) Upgrade JBoss Modules from 1.3.10 to 1.3.11 1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service 1578830 - (6.4.z) Upgrade hibernate-validator from 4.3.3 to 4.3.4 1580440 - [GSS](6.4.z) Upgrade xnio from 3.0.16 to 3.0.17 1594389 - [GSS](6.4.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml 1602226 - [GSS](6.4.z) Upgrade xerces from 2.9.1.redhat-6 to 2.9.1.redhat-8 1606334 - [GSS](6.4.z) Upgrade JBoss VFS from 3.2.12 to 3.2.13 1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS 1610355 - [GSS](6.4.z) Upgrade HornetQ from 2.3.25.SP24 to 2.3.25.SP28 1610742 - [GSS](6.4.z) Upgrade JBoss Web from 7.5.28 to 7.5.29 1611770 - [GSS](6.4.z) Upgrade Ironjacamar from 1.0.41 to 1.0.42 1614448 - [GSS](6.4.z) Upgrade Jackson from 1.9.9.redhat-6 to 1.9.9.redhat-7 1615347 - [GSS](6.4.z) Upgrade PicketLink from 2.5.4.SP18-redhat-1 to 2.5.4.SP18-redhat-2 1615380 - [GSS](6.4.z) Upgrade Guava from 13.0.1.redhat-2 to 13.0.1.redhat-3 6. Package List: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server: Source: codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el5.src.rpm guava-libraries-13.0.1-5.redhat_3.1.ep6.el5.src.rpm hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el5.src.rpm hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el5.src.rpm ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el5.src.rpm jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el5.src.rpm jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el5.src.rpm jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el5.src.rpm jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el5.src.rpm jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.src.rpm jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el5.src.rpm picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el5.src.rpm picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el5.src.rpm xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el5.src.rpm noarch: codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm codehaus-jackson-core-asl-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm codehaus-jackson-jaxrs-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm codehaus-jackson-mapper-asl-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm codehaus-jackson-xc-1.9.9-14.redhat_7.1.ep6.el5.noarch.rpm guava-libraries-13.0.1-5.redhat_3.1.ep6.el5.noarch.rpm hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el5.noarch.rpm hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el5.noarch.rpm ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el5.noarch.rpm jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el5.noarch.rpm jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el5.noarch.rpm jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el5.noarch.rpm jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el5.noarch.rpm picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el5.noarch.rpm picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el5.noarch.rpm xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-2582 https://access.redhat.com/security/cve/CVE-2017-7536 https://access.redhat.com/security/cve/CVE-2018-1336 https://access.redhat.com/security/cve/CVE-2018-10237 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW6lg8dzjgjWX9erEAQgjkA/9F7MlCSTvCsrjBo0KX8/MynP3Oaz+Mb+2 tf1Oj7OXwJ0JBp6c72g3wdgg/TX3kdVmMuD7SUDuue0GK4rzovD3o8sEwuNmKcpX u2sJhzXYYb6pbmzhrn15Qoyyqzd4HFsPPqZmjFEGpX4Ugg26oosChcEgGdHRl5L0 WuEIbb/HsXk48ZMNEXnQfJsRcZDnypIIQJst8cSTP7ekYVdKXo9yeQRneLNyhLBy 08WoPzXqurkjdxZE7LtxpsfAi0rKZ+1DKRRgnl0ZD3A3+t/Xb4ELyYzredJWZx50 YMgW1SCy6evf/muon96B2SXjxawWZwXnZ9tOY0gb7dJ7KxhpjUYdtauTBYGSHB0h IJXCXK5Leo2WLDqBiWD+KBVYilDpzBqhyLbk8/F4tw0bchim2WVGHcOmNvLaFMg/ oFC9zEZAwEWkEJ/pl2eDYx5YEsTaiifns+Iw22wcgsAiUG3vgXJhdSsw2PFs6Ovl OgBV2l42aetQV+b8xeky6gOoJa3cf4C4kVAvAomtw8sRDDWy76q0q/vIoBSz5X5I hCpEWpu6cuIDdEgvtDWy5NinNi+h0uAgfb59GsOpTegm+doG+zfCbj9/xsq2udDP M5kJnXYSGOR8oS5Ob+dJ/lubBGDRwjibmTMtwXuQx7B2c0qusP/+LOZ/E9EiNG86 k32TVSosfZ8= =cSux -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce