Red Hat: RHSA-2017-3216-01 Moderate: JBoss Security Risk for RHEL 5
red hat
November 14, 2017
An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5
Solution
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 6.4.18 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.17,
and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.
Security Fix(es):
* It was found that while parsing the SAML messages the StaxParserUtil
class of Picketlink replaces special strings for obtaining attribute values
with system property. This could allow an attacker to determine values of
system properties at the attacked system by formatting the SAML request ID
field to be the chosen system property which could be obtained in the
"InResponseTo" field in the response. (CVE-2017-2582)
This issue was discovered by Hynek Mlnarik (Red Hat).
References
https://access.redhat.com/security/cve/CVE-2017-2582 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/
Package List
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server:
Source:
hornetq-2.3.25-24.SP22_redhat_1.1.ep6.el5.src.rpm
jboss-as-appclient-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-cli-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-client-all-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-clustering-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-cmp-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-configadmin-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-connector-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-controller-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-controller-client-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-core-security-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-deployment-repository-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-deployment-scanner-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-domain-http-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-domain-management-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-ee-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-ee-deployment-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-ejb3-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
jboss-as-embedded-7.5.18-1.Final_redhat_1.1.ep6.el5.src.rpm
Read the Full Advisory
PREVIOUS
NEXT
Advisory ID: RHSA-2017:3216-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2017:3216
Issue date: 2017-11-14
Topic
An update is now available for Red Hat JBoss Enterprise ApplicationPlatform 6.4 for Red Hat Enterprise Linux 5.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Server - noarch
Bugs Fixed
1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
1498254 - RHEL5 RPMs: Upgrade jbossweb to 7.5.26.Final-redhat-1
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!