-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4 security update Advisory ID: RHSA-2022:0436-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:0436 Issue date: 2022-02-03 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch Red Hat JBoss EAP 7.4 for RHEL 8 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 6. Package List: Red Hat JBoss EAP 7.4 for RHEL 7 Server: Source: eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.el7eap.src.rpm noarch: eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.el7eap.noarch.rpm Red Hat JBoss EAP 7.4 for RHEL 8: Source: eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.el8eap.src.rpm noarch: eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.el8eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYfxi+NzjgjWX9erEAQj9Tg/9GA6qNd8wimke5k4DRnHWqlS85R25PoRc 5QS7EZa5PO0Kf8wH5ZAP7MSQHZSnNeud5B20NDwI1Mve12t7kD7VN1sDkR1yo2g3 vylO5tgQbHTbeJ0gjOYnlxZJXxWQ81J/F6NLa2Tfl/9/KkvgAtXjU09OBfukGgwh S1Yl0jSbW7xF6VM2y7OGusOTlFRlNemX2z2Gp+ytWU6Sj0+ven1hcasT+OMOHbcu GHsXt2AoRCkez34L9IKVheFLBMinswzq3C6OJD6Bswl9EPoCYJR9u4QMuwHnZY7T RCjISmVEOlvRyh9Yzv45sAqSUdr2q8+1RAwa5uNihmed3Qt2FmRF4PeY/+bdCG2C kn6om8KN/1FSdUgIh+b497KO9I/hAAmzKo22u9w343b5Vmo04OR8khSJw+eM76om /VxHeV/mUk3KKtRzKP8/xg8sg8tmb4hH5Vwi82epMlbJjsiaJmKRehTgnmmi5syC ApA5q71ii3/KEYeqqMZ07DaV47DNY0qIKsr+h9k8yDlhMgHDbnKuXY7Ik3WMo4hn QzviLYKCxgtglHt/LKQYKkQTZJ9yjoxxQ5fSjN01+YjTAwbi3N0u5aefDrlmtCXR 6tQ/ZUdjyqPHPYbwITzcMAqFg7WC9tosCPfNfdzJyuIbr80FLZbZvTQd3vzTVq4G tqxCXqAkBSMÚhk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce