RedHat: RHSA-2019-0139:01 Moderate: Red Hat JBoss Enterprise Application

    Date22 Jan 2019
    CategoryRed Hat
    2940
    Posted ByAnthony Pell
    Red Hat JBoss Enterprise Application Platform 7.2.0 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 7.2.0 security update
    Advisory ID:       RHSA-2019:0139-01
    Product:           Red Hat JBoss Enterprise Application Platform
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:0139
    Issue date:        2019-01-22
    CVE Names:         CVE-2017-2582 
    =====================================================================
    
    1. Summary:
    
    Red Hat JBoss Enterprise Application Platform 7.2.0 is now available.
    
    Red Hat Product Security has rated this update as having a security impact
    of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat JBoss Enterprise Application Platform is a platform for Java
    applications based on the JBoss Application Server.
    
    This release serves as a replacement for Red Hat JBoss Enterprise
    Application Platform 7.1, and includes bug fixes and enhancements. Refer to
    the Red Hat JBoss Enterprise Application Platform 7.2.0 Release Notes for
    information on the most significant bug fixes and enhancements included in
    this release.
    
    Security Fix(es):
    
    * picketlink: SAML request parser replaces special strings with system
    properties (CVE-2017-2582)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, and other related information, refer to the CVE page(s) listed in
    the References section.
    
    The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat).
    
    3. Solution:
    
    Before applying this update, back up your existing Red Hat JBoss Enterprise
    Application Platform installation and deployed applications.
    
    The References section of this erratum contains a download link (you must
    log in to download the update).
    
    The JBoss server process must be restarted for the update to take effect.
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
    
    5. JIRA issues fixed (https://issues.jboss.org/):
    
    JBEAP-12932 - Upgrade WildFly Core to 4.0.1.Final
    JBEAP-13189 - Upgrade Generic JMS RA 2.0.1.Final
    JBEAP-13658 - Upgrade JGroups to 3.6.15.Final
    JBEAP-13867 - [Artemis upgrade] Transformer interface was changed
    JBEAP-13895 - [GSS](7.2.0) Upgrade picketlink from 2.5.5.SP8 to 2.5.5.SP9
    JBEAP-14222 - (EL12) Upgrade Infinispan to 9.1.6.Final to 9.1.7.Final
    JBEAP-14239 - (EL12) Upgrade Artemis to 1.5.5.009-redhat-1
    JBEAP-14386 - (7.2.0.EO12) Upgrade slf4j from 1.7.22.redhat-1 to 1.7.22.redhat-2
    JBEAP-14415 - Upgrade WildFly Core to 4.0.1.Final-redhat-1
    JBEAP-14421 - Upgrade WildFly Elytron Tool to 1.1.4.Final
    JBEAP-14422 - Upgrade WildFly Elytron to 1.2.4.Final
    JBEAP-14427 - Upgrade Undertow to 2.0.0.SP1
    JBEAP-14504 - Upgrade WildFly HTTP client 1.0.12.Final
    JBEAP-14581 - (CD12) Upgrade FasterXML Jackson from 2.9.4.redhat-1 to 2.9.5.redhat-1
    JBEAP-14811 - 7.2 - Migration Guide: Upgrade org.apache.santuario.xmlsec to 2.1.1. caused regression in PicketLinkSTS
    JBEAP-14852 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (core)
    JBEAP-14853 - Upgrade to Galleon 1.0.1.Final and Galleon Plugins 1.0.1.Final (full)
    JBEAP-14854 - [7.2] Migration Guide: document upgrade from Hibernate ORM 5.1 to 5.3
    JBEAP-14881 - Upgrade PicketBox to 5.0.3.Final
    JBEAP-15030 - [CD14] Clarify wording on EJB timers before upgrade/migration
    JBEAP-15044 - Upgrade to Apache CXF from 3.2.4 to 3.2.5
    JBEAP-15046 - Upgrade to Apache CXF 3.2.5
    JBEAP-15069 - Installer: Upgrade IzPack aesh-readline to 1.10
    JBEAP-15123 - Upgrade PicketBox to 5.0.3.Final-redhat-2 from 5.0.3.Final-redhat-1
    JBEAP-15334 - Upgrade Infinispan to 9.3.3.Final
    JBEAP-15347 - (7.2.0) Upgrade jastow to 2.0.6.Final
    JBEAP-15351 - (7.2.0) Upgrade PicketBox from 5.0.3.Final to 5.0.3.Final-redhat-3
    JBEAP-15352 - (7.2.0) Upgrade PicketLink from 2.5.5.SP12 to 2.5.5.SP12-redhat-2
    JBEAP-15353 - (7.2.0) Upgrade PicketLink bindings from 2.5.5.SP12 to 2.5.5.SP12-redhat-2
    JBEAP-15421 - Upgrade MSC to 1.4.5.Final
    JBEAP-15431 - Upgrade WildFly Elytron to 1.6.1.Final
    JBEAP-15446 - Upgrade JGroups to 4.0.15.Final
    JBEAP-15453 - [PROD](CD14) Upgrade to wildfly-openssl from 1.0.6.Final-redhat-1 to 1.0.6.Final-redhat-2
    JBEAP-15494 - (7.2.0) (picketlink) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml 
    JBEAP-15499 - (7.2.0) (picketlink-bindings) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml 
    JBEAP-15507 - Upgrade to core 6.0.7.Final
    JBEAP-15542 - Upgrade Jboss Metadata to 12.0.0.Final 
    JBEAP-15600 - Upgrade jboss-logmanager from 2.1.4.Final to 2.1.5.Final
    JBEAP-15612 - Upgrade to Galleon and WildFly Galleon Plugins 2.0.1.Final
    JBEAP-15614 - Upgrade Core EAP to Galleon and WildFly Galleon Plugins 2.0.1.Final
    JBEAP-15625 - Upgrade smallrye-config 1.3.4
    JBEAP-15628 - [GSS](7.2.0) Upgrade jboss-ejb-client from 4.0.11 to 4.0.12
    JBEAP-15656 - Upgrade JBossWS to 5.2.4.Final
    JBEAP-15657 - Upgrade RESTEasy to 3.6.1.SP2
    JBEAP-15661 - (7.2.0)  Upgrade Hibernate ORM from 5.3.6 to 5.3.7
    JBEAP-15666 - (7.2.0) Upgrade HAL to 3.0.7.Final
    JBEAP-15720 - Upgrade Artemis to  2.6.3.redhat-00008
    JBEAP-15731 - Upgrade to WildFly Galleon Plugins 2.0.2.Final and properly configure plugin dependencies
    JBEAP-15740 - Upgrade to WildFly Core 6.0.11.Final
    JBEAP-15756 - Upgrade Artemis to  2.6.3.redhat-00012
    JBEAP-16031 - Tracker bug for the EAP 7.2.0 text only release
    
    6. References:
    
    https://access.redhat.com/security/cve/CVE-2017-2582
    https://access.redhat.com/security/updates/classification/#moderate
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions&version=7.2
    https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=7.2
    https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/
    
    7. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXEdGNdzjgjWX9erEAQj+qA/7BdJcfZT2m93wdmus7DtjZb1RmhacOLvM
    wGSnb6KtfsdMsBjhPpLGXw8IuZu74d1V9w/wWbemYhOgt5/UrZHyRlX0WdyWduJe
    /PTydi9gK4zGy6srltukWarg/HkadBnMl/6x2e82AeF6qqXrjy9TSEczDQzcyhPy
    v5iN0wligv+yIlfJksEHPdEzxMaifo/cEolBhhWwwohJlfMjPpEHDKmb9NM+Bmxj
    mcDTT1ayG8eA4GApZfNpMRKz1Ip2pCnP9y7wOl/sty0NX1MzDF8+z2tRt0QlObIn
    g8AH4Q/Gk/WkGNy5jfoPtc29VGFuU5I569IgpCe7n37VJJPBEz2Pt6UYktGDgqS2
    hwXiZetTBRQSkRZDg7zvWKZlwz8zlZYGnIc9rPFDiHmJEeN9jWVK/jIpTGPvSDbU
    jEXMx92e0JW/gWTutbrgGeqKu3TfwdJzf7ZG1xa2jQ048J3afgomrq0GXqlraiGl
    45qXX35jYkiRklCgPKkHPsw1lS75rcdaB1IhOw3/yC80npAPmZDDndD8/IgjXM75
    g2lQpd7RnEj194zsHL1tYbW2h+FWrLsCcbLhstz1b4AWv3OvhWU5b5R7EC8fwMxq
    47cYrBC3NBJsgY2vP0puxddqWJX02NLelVFhpiwDDkIPoRys/yqf+Fm3EC9+LUxO
    weniG1aKFU0=
    =Y0Ut
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":56.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":13.04,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"7","type":"x","order":"3","pct":30.43,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.