Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Red Hat JBoss EAP 7.4.5 RHSA-2022:4919-01 Moderate Security Advisory

red hat
Calendar Grey June 6, 2022
Dist Redhat Esm H88
The latest Red Hat JBoss EAP 7.4.5 update resolves moderate risk vulnerabilities. Find out more information here.
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* h2: Loading of custom classes from remote servers through JNDI (CVE-2022-23221)
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* h2: Remote Code Execution in Console (CVE-2021-42392)
* netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)
* xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)
* wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled (CVE-2022-0866)
* undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319)
* OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646) (CVE-2022-21299)
* mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363)
* xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437)
* artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* jboss-client: memory leakage in remote client transaction (CVE-2022-0853)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory security update moderate severity Red Hat JBoss enterprise application platform

References

https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2021-37136 https://access.redhat.com/security/cve/CVE-2021-37137 https://access.redhat.com/security/cve/CVE-2021-42392 https://access.redhat.com/security/cve/CVE-2021-43797 https://access.redhat.com/security/cve/CVE-2022-0084 https://access.redhat.com/security/cve/CVE-2022-0853 https://access.redhat.com/security/cve/CVE-2022-0866 https://access.redhat.com/security/cve/CVE-2022-1319 https://access.redhat.com/security/cve/CVE-2022-21299 https://access.redhat.com/security/cve/CVE-2022-21363 https://access.redhat.com/security/cve/CVE-2022-23221 https://access.redhat.com/security/cve/CVE-2022-23437 https://access.redhat.com/security/cve/CVE-2022-23913 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

Package List

Red Hat JBoss EAP 7.4 for RHEL 8:
Source: eap7-activemq-artemis-2.16.0-9.redhat_00042.1.el8eap.src.rpm eap7-h2database-1.4.197-2.redhat_00004.1.el8eap.src.rpm eap7-hal-console-3.3.12-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.26-1.Final_redhat_00002.2.el8eap.src.rpm eap7-hibernate-validator-6.0.23-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jackson-annotations-2.12.6-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-core-2.12.6-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-databind-2.12.6.1-1.redhat_00003.1.el8eap.src.rpm eap7-jackson-jaxrs-providers-2.12.6-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-modules-base-2.12.6-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-modules-java8-2.12.6-1.redhat_00001.1.el8eap.src.rpm eap7-jberet-1.3.9-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP05_redhat_00002.1.el8eap.src.rpm eap7-jboss-remoting-5.0.24-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.10.0-16.Final_redhat_00015.1.el8eap.src.rpm eap7-jboss-xnio-base-3.8.7-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-log4j-2.17.1-2.redhat_00002.1.el8eap.src.rpm eap7-netty-4.1.72-4.Final_redhat_00001.1.el8eap.src.rpm eap7-netty-tcnative-2.0.48-1.Final_redhat_00001.1.el8eap.src.rpm

Read the Full Advisory


Advisory ID: RHSA-2022:4919-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:4919
Issue date: 2022-06-06

Topic

A security update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.4 for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security update moderate severity Red Hat JBoss enterprise application platform

Relevant Releases Architectures

Red Hat JBoss EAP 7.4 for RHEL 8 - noarch, x86_64

Bugs Fixed

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data

2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way

2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling

2039403 - CVE-2021-42392 h2: Remote Code Execution in Console

2041472 - CVE-2022-21299 OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)

2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI

2047200 - CVE-2022-23437 xerces-j2: infinite loop when handling specially crafted XML document payloads

2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors2060725 - CVE-2022-0853 jboss-client: memory leakage in remote client transaction

2060929 - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled

2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS

2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here