Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Red Hat JBoss: RHSA-2023-1516-01 Important Remote Execution Risks

red hat
Calendar Grey April 1, 2023
Dist Redhat Esm H88
The latest Red Hat JBoss Enterprise Application update addresses critical vulnerabilities, including risks of unauthorized remote access and possible Denial of Service (DoS) issues
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Summary

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory DoS attack security impact application platform RCE risk Java applications Red Hat JBoss

References

https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-41853 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-1108 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.4 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2023:1516-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1516
Issue date: 2023-03-29

Topic

A security update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.4.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory DoS attack security impact application platform RCE risk Java applications Red Hat JBoss

Relevant Releases Architectures

Bugs Fixed

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode

2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack

2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution

2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow

2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client

2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS

2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider

2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files

2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close

5. JIRA issues fixed (https://issues.redhat.com/):

JBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001

JBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001

JBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002

JBEAP-24220 - [GSS](7.4.z) Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001

JBEAP-24254 - JDK17, CLI script to update security doesn't apply to microprofile

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here