-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4 security update Advisory ID: RHSA-2022:0435-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2022:0435 Issue date: 2022-02-03 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4. Security Fix(es): * log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305) * log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104) * log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 5. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.4 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYfxjRNzjgjWX9erEAQgVzQ//QI8u2gmvstjS3EcHdZ4N2k0O7cXKVUh5 b+GfrSs7QAPFDpBE1+qvYTwRR/1aOmOS1Mg2kJPUmGpPnIu68FGt8o355zP0Tmfo 9pOlhqPIAM7+AVx4RejQtBlszQMVU4dj/YHKgJYbXab7oQlconQUCo7QCppN3hOz M1blN7OVtjAS3uR3Aag84WS29G/JsF2ks9kY6AY2UxbH39dzqXRInRe8v/0YygUI 7aLxt8qFlTkOrKvtGhSGk2fn7YKMy8vdDSVjVBqraAG2Vnl/5jmMAH7KV1obr7Nf ke5Z8c4pu2stGb2rNyqF/ktc6tv/kYgq29APgGlk66XtrtmWzjf/+hpCvyIa/p3e tl+I/X1GxULqr0efby9mjAlPa7hQf6Ro6pgiKZKtg0S4/QAjYevkzbuF+PX6CJwx 8mUiPaWCJotz6mR4UINMBhjK67oW1znw4iNiXr2jIsmG0Oi2YN9REMHGwgUVzdXw WwEayeIjEXJ4vWUuyq+ZrUO4qkPIO7UY5vcoiCjMOFQ2VdvQBwwEUpY/aTidc/6L /T2Gp+Xh84sUdB12FjiaRhSEK+ztAXyHBepskWwPxTzagL/1dsvhgBKO+erH8EZy 4y7PDgEx79K/2x1++ZtyfMfp4TU1zJrWOVlJat0v0rUhpAIH+VRQWkfH0UGUyaq2 BXxgHvVPJrU=9VXe -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce