Red Hat JBoss BPM Suite 6.4.6 Security Update: Remote Logging DoS Issue
red hat
October 12, 2017
An update is now available for Red Hat JBoss BPM Suite
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.
The References section of this erratum contains a download link (you must
log in to download the update).
Summary
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for
Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the
log4j server would deserialize any log event received via TCP or UDP. An
attacker could use this flaw to send a specially crafted log event that,
during deserialization, would execute arbitrary code in the context of the
logger application. (CVE-2017-5645)
* It was found that XStream contains a vulnerability that allows a
maliciously crafted file to be parsed successfully which could cause an
application crash. The crash occurs if the file that is being fed into
XStream input stream contains an instances of the primitive type 'void'. An
attacker could use this flaw to create a denial of service on the target
system. (CVE-2017-7957)
References
https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/cve/CVE-2017-7957 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4
Package List
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2017:2889-01
Product: Red Hat JBoss BPM Suite
Advisory URL: https://access.redhat.com/errata/RHSA-2017:2889
Issue date: 2017-10-12
Topic
An update is now available for Red Hat JBoss BPM Suite.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
1441538 - CVE-2017-7957 XStream: DoS when unmarshalling void type
1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!