Red Hat Product Errata RHSA-2017:3399 - Security Advisory

Issued:: 2017-12-07
Updated:: 2017-12-07

RHSA-2017:3399 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 5.2 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5 and Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.

This asynchronous patch is a security update for log4j package in Red Hat JBoss Enterprise Application Platform 5.2.0.

Security Fix(es):

It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

JBoss Enterprise Application Platform 5 for RHEL 6 x86_64
JBoss Enterprise Application Platform 5 for RHEL 6 i386
JBoss Enterprise Application Platform 5 for RHEL 5 x86_64
JBoss Enterprise Application Platform 5 for RHEL 5 i386

Fixes

BZ - 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

CVEs

CVE-2017-5645

References

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Application Platform 5 for RHEL 6

SRPM
log4j-1.2.14-19.patch_01.ep5.el6.src.rpm	SHA-256: fade4390c4daf5b730ffe51a954c6f74a8dad3d7a388a938ce4c55d0b28861ee
x86_64
log4j-1.2.14-19.patch_01.ep5.el6.noarch.rpm	SHA-256: a0df3c67cb0917dfc4e85707d36a0be53d7ddffaae6cc727b1b73b02fc8acbba
i386
log4j-1.2.14-19.patch_01.ep5.el6.noarch.rpm	SHA-256: a0df3c67cb0917dfc4e85707d36a0be53d7ddffaae6cc727b1b73b02fc8acbba

JBoss Enterprise Application Platform 5 for RHEL 5

SRPM
log4j-1.2.14-19.patch_01.ep5.el5.src.rpm	SHA-256: 9fe3b7448de43a7e134178d20e3c12055a6b4a6508542d57527007f87c868777
x86_64
log4j-1.2.14-19.patch_01.ep5.el5.noarch.rpm	SHA-256: e2321c72fff0ff0ccd3e34d71da438f7de7a5eb225e65ab5b7daf4367c6394cf
i386
log4j-1.2.14-19.patch_01.ep5.el5.noarch.rpm	SHA-256: e2321c72fff0ff0ccd3e34d71da438f7de7a5eb225e65ab5b7daf4367c6394cf

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories