For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.1.6 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.5,
and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.
Security Fix(es):
* wildfly-core: Cross-site scripting (XSS) in JBoss Management Console
(CVE-2018-10934)
* undertow: Infoleak in some circumstances where Undertow can serve data
from a random buffer (CVE-2018-14642)
* dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute
which can impact the integrity of XML documents (CVE-2018-1000632)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
https://access.redhat.com/security/cve/CVE-2018-10934 https://access.redhat.com/security/cve/CVE-2018-14642 https://access.redhat.com/security/cve/CVE-2018-1000632 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=7.1 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/
Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server:
Source:
eap7-activemq-artemis-1.5.5.015-1.redhat_00001.1.ep7.el6.src.rpm
eap7-apache-cxf-3.1.16-2.redhat_2.1.ep7.el6.src.rpm
eap7-dom4j-2.1.1-1.redhat_00001.1.ep7.el6.src.rpm
eap7-hibernate-5.1.17-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-ironjacamar-1.4.12-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-jackson-databind-2.8.11.3-1.redhat_00001.1.ep7.el6.src.rpm
eap7-jandex-2.0.5-1.Final_redhat_1.1.ep7.el6.src.rpm
eap7-jberet-1.2.7-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-jboss-ejb-client-4.0.12-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-jboss-el-api_3.0_spec-1.0.13-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-jboss-logmanager-2.0.11-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-jboss-modules-1.6.7-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-jboss-security-negotiation-3.0.5-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-jbossws-common-3.1.7-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-narayana-5.5.34-1.Final_redhat_00001.1.ep7.el6.src.rpm
eap7-picketlink-bindings-2.5.5-15.SP12_redhat_3.1.ep7.el6.src.rpm
eap7-picketlink-federation-2.5.5-15.SP12_redhat_3.1.ep7.el6.src.rpm
eap7-undertow-1.4.18-10.SP11_redhat_00001.1.ep7.el6.src.rpm
eap7-undertow-jastow-2.0.7-1.Final_redhat_00001.1.ep7.el6.src.rpm
Read the Full Advisory
An update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.1 for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Server - noarch
1615673 - CVE-2018-10934 wildfly-core: Cross-site scripting (XSS) in JBoss Management Console
1620529 - CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents
1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer
6. JIRA issues fixed (https://issues.redhat.com/):
JBEAP-15311 - (7.1.z) Upgrade Hibernate ORM from 5.1.16 to 5.1.17
JBEAP-15370 - (7.1.z) Upgrade undertow from 1.4.18.SP9 to 1.4.18.SP11
JBEAP-15373 - [GSS](7.1.z) Upgrade ActiveMQ Artemis from 1.5.5.jbossorg-014 to 1.5.5.jbossorg-015
JBEAP-15391 - (7.1.z) Upgrade apache-cxf from 3.1.16.redhat-1 to 3.1.16.redhat-2
JBEAP-15440 - [GSS](7.1.z) Upgrade JBoss Modules from 1.6.5.Final-redhat-00001 to 1.6.7.Final
JBEAP-15443 - [GSS](7.1.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-3
JBEAP-15444 - [GSS](7.1.z) Upgrade PicketLink from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-3
JBEAP-15461 - Tracker bug for the EAP 7.1.6 release for RHEL-6
JBEAP-15482 - (7.1.z) Upgrade Elytron from 1.1.11.Final to 1.1.12.Final
JBEAP-15483 - (7.1.z) Upgrade Elytron-Tool from 1.0.8 to 1.0.9.Final
JBEAP-15525 - [GSS](7.1.z) Upgrade to ironjacamar from 1.4.11.Final to 1.4.12.Final
JBEAP-15528 - (7.1.z) Upgrade logmanager from 2.0.10.Final-redhat-1 to 2.0.11.Final
Get the latest Linux and open source security news straight to your inbox.