Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Red Hat JBoss 7.1 on RHEL 6: RHSA-2018:2423-01 Important DoS Threat

red hat
Calendar Grey August 15, 2018
Dist Redhat Esm H88
Crucial notice regarding Red Hat JBoss Enterprise Application on RHEL 6 tackling several vulnerabilities. Discover more details now.
An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.1.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237)
* bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
* cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services (CVE-2017-12624)
* wildfly: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (CVE-2018-10862)
* cxf-core: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat application update DoS threat security impact JBoss Enterprise Platform

References

https://access.redhat.com/security/cve/CVE-2017-12624 https://access.redhat.com/security/cve/CVE-2018-8039 https://access.redhat.com/security/cve/CVE-2018-10237 https://access.redhat.com/security/cve/CVE-2018-10862 https://access.redhat.com/security/cve/CVE-2018-1000180 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=7.1 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/

Package List

Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server:
Source: eap7-activemq-artemis-1.5.5.013-1.redhat_1.1.ep7.el6.src.rpm eap7-bouncycastle-1.56.0-5.redhat_3.1.ep7.el6.src.rpm eap7-guava-libraries-25.0.0-1.redhat_1.1.ep7.el6.src.rpm eap7-hibernate-5.1.15-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-ironjacamar-1.4.10-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jberet-1.2.6-2.Final_redhat_1.1.ep7.el6.src.rpm eap7-jboss-ejb-client-4.0.11-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jboss-remoting-5.0.8-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-jboss-server-migration-1.0.6-4.Final_redhat_4.1.ep7.el6.src.rpm eap7-mod_cluster-1.3.10-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-narayana-5.5.32-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-picketlink-bindings-2.5.5-13.SP12_redhat_1.1.ep7.el6.src.rpm eap7-picketlink-federation-2.5.5-13.SP12_redhat_1.1.ep7.el6.src.rpm eap7-resteasy-3.0.26-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-undertow-1.4.18-7.SP8_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-7.1.4-1.GA_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-javadocs-7.1.4-2.GA_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-naming-client-1.0.9-1.Final_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-openssl-linux-1.0.6-14.Final_redhat_1.1.ep7.el6.src.rpm eap7-wildfly-transaction-client-1.0.4-1.Final_redhat_1.1.ep7.el6.src.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2018:2423-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2423
Issue date: 2018-08-15

Topic

An update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.1 for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat application update DoS threat security impact JBoss Enterprise Platform

Relevant Releases Architectures

Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server - i386, noarch, x86_64

Bugs Fixed

1515976 - CVE-2017-12624 cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services

1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service

1588306 - CVE-2018-1000180 bouncycastle: flaw in the low-level interface to RSA key pair generator

1593527 - CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)

1595332 - CVE-2018-8039 apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*

6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

JBEAP-14787 - Tracker bug for the EAP 7.1.4 release for RHEL-6

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here