Red Hat JBoss BPM Suite 6.4.7 Moderate: XML Parsing Risk Advisory
red hat
November 30, 2017
An update is now available for Red Hat JBoss BPM Suite
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.
The References section of this erratum contains a download link (you must
log in to download the update).
Summary
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.7 serves as a replacement for
Red Hat JBoss BPM Suite 6.4.6, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.
Security Fix(es):
* A denial of service vulnerability was discovered in ZooKeeper which
allows an attacker to dramatically increase CPU utilization by abusing
"wchp/wchc" commands, leading to the server being unable to serve
legitimate requests. (CVE-2017-5637)
* It was discovered that the XmlUtils class in jbpmmigration performed
expansion of external parameter entities while parsing XML files. A remote
attacker could use this flaw to read files accessible to the user running
the application server and, potentially, perform other more advanced XML
eXternal Entity (XXE) attacks. (CVE-2017-7545)
Red Hat would like to thank Man Yue Mo (Semmle) for reporting
CVE-2017-7545.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2017-5637 https://access.redhat.com/security/cve/CVE-2017-7545 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4
Package List
PREVIOUS
NEXT
Advisory ID: RHSA-2017:3355-01
Product: Red Hat JBoss BPM Suite
Advisory URL: https://access.redhat.com/errata/RHSA-2017:3355
Issue date: 2017-11-30
Topic
An update is now available for Red Hat JBoss BPM Suite.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Bugs Fixed
1454808 - CVE-2017-5637 zookeeper: Incorrect input validation with wchp/wchc four letter words
1474822 - CVE-2017-7545 jbpmmigration: XXE vulnerability in XmlUtils
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!