-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 9 security update Advisory ID: RHSA-2023:1514-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2023:1514 Issue date: 2023-03-29 CVE Names: CVE-2022-1471 CVE-2022-4492 CVE-2022-38752 CVE-2022-41853 CVE-2022-41854 CVE-2022-41881 CVE-2022-45787 CVE-2023-0482 CVE-2023-1108 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.4 for RHEL 9 - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471) * hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853) * Undertow: Infinite loop in SslConduit during close (CVE-2023-1108) * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492) * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752) * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854) * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881) * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787) * RESTEasy: creation of insecure temp files (CVE-2023-0482) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode 2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow 2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client 2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001 JBEAP-24122 - Tracker bug for the EAP 7.4.10 release for RHEL-9 JBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001 JBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002 JBEAP-24220 - [GSS](7.4.z) Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001 JBEAP-24254 - JDK17, CLI script to update security doesn't apply to microprofile JBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004 JBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1 JBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001 JBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final JBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012 JBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001 JBEAP-24383 - [GSS](7.4.z) Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7 JBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final JBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001 JBEAP-24395 - [GSS](7.4.z) Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final JBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9 JBEAP-24535 - [GSS](7.4.z) UNDERTOW-2239 - Infinite loop in `SslConduit` during close on JDK 11 JBEAP-24574 - [PST](7.4.z) Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001 JBEAP-24588 - [GSS](7.4.z) RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9 JBEAP-24605 - [PST](7.4.z) Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2 JBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001 7. Package List: Red Hat JBoss EAP 7.4 for RHEL 9: Source: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el9eap.src.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el9eap.src.rpm eap7-artemis-native-1.0.2-4.redhat_00004.1.el9eap.src.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el9eap.src.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el9eap.src.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el9eap.src.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el9eap.src.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el9eap.src.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el9eap.src.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el9eap.src.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el9eap.src.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el9eap.src.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el9eap.src.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el9eap.src.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el9eap.src.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el9eap.src.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el9eap.src.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el9eap.src.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el9eap.src.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el9eap.src.rpm eap7-wildfly-http-client-1.1.16-1.Final_redhat_00002.1.el9eap.src.rpm noarch: eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el9eap.noarch.rpm eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el9eap.noarch.rpm eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-cachestore-jdbc-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-cachestore-remote-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-client-hotrod-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-commons-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-component-annotations-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-core-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-11.0.17-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-common-api-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-common-impl-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-common-spi-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-core-api-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-core-impl-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-deployers-common-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-jdbc-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-ironjacamar-validator-1.5.11-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-metadata-appclient-13.4.0-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-metadata-common-13.4.0-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-metadata-ear-13.4.0-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-metadata-ejb-13.4.0-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-metadata-web-13.4.0-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el9eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-26.Final_redhat_00025.1.el9eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-26.Final_redhat_00025.1.el9eap.noarch.rpm eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-buffer-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-dns-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-haproxy-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-http-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-http2-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-memcache-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-mqtt-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-redis-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-smtp-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-socks-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-stomp-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-codec-xml-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-common-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-handler-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-handler-proxy-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-resolver-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-resolver-dns-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-resolver-dns-classes-macos-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-transport-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-transport-classes-epoll-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-transport-classes-kqueue-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-transport-native-unix-common-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-transport-rxtx-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-transport-sctp-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-netty-transport-udt-4.1.86-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-picketlink-api-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-picketlink-common-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-picketlink-config-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-picketlink-idm-api-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-picketlink-idm-impl-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-picketlink-impl-2.5.5-22.SP12_redhat_00012.1.el9eap.noarch.rpm eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-atom-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-cdi-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-client-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-crypto-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-jackson-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-jackson2-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-jaxb-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-jaxrs-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-jettison-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-jose-jwt-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-jsapi-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-json-binding-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-json-p-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-multipart-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-rxjava2-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-spring-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-validator-provider-11-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-resteasy-yaml-provider-3.15.5-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el9eap.noarch.rpm eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el9eap.noarch.rpm eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el9eap.noarch.rpm eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-http-client-common-1.1.16-1.Final_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.16-1.Final_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.16-1.Final_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.16-1.Final_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-java-jdk11-7.4.10-6.GA_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-java-jdk17-7.4.10-6.GA_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-java-jdk8-7.4.10-6.GA_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-javadocs-7.4.10-6.GA_redhat_00002.1.el9eap.noarch.rpm eap7-wildfly-modules-7.4.10-6.GA_redhat_00002.1.el9eap.noarch.rpm x86_64: eap7-artemis-native-1.0.2-4.redhat_00004.1.el9eap.x86_64.rpm eap7-artemis-native-wildfly-1.0.2-4.redhat_00004.1.el9eap.x86_64.rpm eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el9eap.x86_64.rpm eap7-netty-transport-native-epoll-debuginfo-4.1.86-1.Final_redhat_00001.1.el9eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-41853 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZCT+3tzjgjWX9erEAQht7Q/9FbJUTgV/Qb+2XhLqfZQmjNZftIlUMHHW fRjssBM+z7800EG7gtIm4ZKVN4xJ7+vp265DSK5UmLTXNYT38D4t8lCR8O4jud1v 8Y+mg/mFJqn8g4IPF1WOqBclOAnb/faC3urrbeJllOIuwN7f8V73OCZtrMZOtwxi D73HmdShmDgrHuUvQ9+L5DZSpE8ikhbsmpdtNVizpc1I0Tq/rX9KbVg/uKed85rI o7moPjaEk0vhwgG13CU1iivg9TmF+nkY0x0nfDG+gDHTyL7E1klewkoTtbXYK2IH j/eMz6+Ahrfo5sQ6KeI15vCxSLqGhUZf1DZVWokZGzFTJu6DHMPToy4xwP+FfVX5 z0Z8zBWSimYjLAVmDZIgW0H6jINg4hIT2dKNJf1XhZhYpdxUpJyRGx3lOvd7gHrB oMKqO/Z4HkGKQ1y2pMWZQAb4HXAT8L7HR2RFR34tcsYC+sz4ZugSi0oeZejkdhn9 sZSeEV+e+nLL52Xhya7QHOLbZoRHfHki1JWGKZIcTS4ThSKq3GPFbxEWihUHtbW/ Eoe6TmVNCkIC1W03xv+06f8ZkqlH5lkHV7GL9CQ+6yNakmfRM59fxm2bJ7bzOO7W Vb0Lz2pd5h9PqW+5UxNJeRddy4nC5hBWP1pXx03877g8nppxS/Z042j+kULBqx76 2d36mNYFc24= =0Lpj -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce