Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2018:0004 - Security Advisory
Issued:
2018-01-03
Updated:
2018-01-03

RHSA-2018:0004 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 7

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.

This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629)
  • It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2017-12189)
  • It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346)
  • It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. (CVE-2017-7559)
  • It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. (CVE-2017-7561)
  • It was found that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system. (CVE-2017-12167)
  • It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling. (CVE-2017-12165)

Red Hat would like to thank Mikhail Egorov (Odin) for reporting CVE-2016-6346. The CVE-2017-7559 and CVE-2017-12165 issues were discovered by Stuart Douglas (Red Hat); the CVE-2017-7561 issue was discovered by Jason Shepherd (Red Hat Product Security); and the CVE-2017-12167 issue was discovered by Brian Stansberry (Red Hat) and Jeremy Choi (Red Hat).

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Application Platform 7.0 for RHEL 7 x86_64

Fixes

  • BZ - 1372120 - CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack
  • BZ - 1481665 - CVE-2017-7559 undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
  • BZ - 1483823 - CVE-2017-7561 resteasy: Vary header not added by CORS filter leading to cache poisoning
  • BZ - 1490301 - CVE-2017-12165 undertow: improper whitespace parsing leading to potential HTTP request smuggling
  • BZ - 1491612 - CVE-2017-12167 EAP-7: Wrong privileges on multiple property files
  • BZ - 1499631 - CVE-2017-12189 jboss: unsafe chown of server.log in jboss init script allows privilege escalation (Incomplete fix for CVE-2016-8656)
  • BZ - 1501529 - CVE-2017-12629 Solr: Code execution via entity expansion

CVEs

  • CVE-2016-6346
  • CVE-2017-7559
  • CVE-2017-7561
  • CVE-2017-12165
  • CVE-2017-12167
  • CVE-2017-12189
  • CVE-2017-12629

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/
  • https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/
  • https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Application Platform 7.0 for RHEL 7

SRPM
eap7-activemq-artemis-1.1.0-19.SP24_redhat_1.1.ep7.el7.src.rpm SHA-256: 4b85839f24500161b084f5429aa7db7db649bb404ee97cb4b1c5e83d75b28441
eap7-hibernate-5.0.16-1.Final_redhat_1.1.ep7.el7.src.rpm SHA-256: d1c4c53f98b314aa12374d61a29720999aaafbbc592f09ac7ba5bec474eae603
eap7-ironjacamar-1.3.8-1.Final_redhat_1.1.ep7.el7.src.rpm SHA-256: 5029cacdeb9abbc2cf6b01ab59852c6ceccaa02297c92d402b1de80e6d45219c
eap7-jboss-remoting-4.0.25-1.Final_redhat_1.1.ep7.el7.src.rpm SHA-256: 133c2d0e19ac87a405bf70a0fd2382fd9a692ccc8f85f4b37520871bf9149b9d
eap7-jboss-xnio-base-3.4.7-1.Final_redhat_1.1.ep7.el7.src.rpm SHA-256: b6c4f38d47d4e15847ca8f79e28334731f078b4ccda7fa56df288d394ce81d6e
eap7-jgroups-3.6.12-1.Final_redhat_1.1.ep7.el7.src.rpm SHA-256: b4ba07d70d0f55949fd24db0ea2506d2016237772b5962d6bd02793bbd1ec285
eap7-resteasy-3.0.19-7.SP5_redhat_1.1.ep7.el7.src.rpm SHA-256: 595ef5df88ed026557fd02d984018b0ad8a1cd555ece71a2b228aac7870ffdb0
eap7-undertow-1.3.31-3.Final_redhat_3.1.ep7.el7.src.rpm SHA-256: 51a255090cc38b1a16c79cf2606155c14ec3426d1684ff2d91f19a3650b6a56b
eap7-wildfly-7.0.9-4.GA_redhat_3.1.ep7.el7.src.rpm SHA-256: 0b87dcc0a567045e34328e5b09af7b8fe91e4d5ea771a7a65e6155aacd1e1c70
eap7-wildfly-javadocs-7.0.9-2.GA_redhat_3.1.ep7.el7.src.rpm SHA-256: 2caaa232ff8163942a980bb1a7cb5aae7e3bfdca021fd399dccbf8cb4f8d9b89
x86_64
eap7-activemq-artemis-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 98ff40675e316d5236c86ca9a3edf208097213a72ccbe243ef39f7a7e2438b21
eap7-activemq-artemis-cli-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 9e1006967c6de02bd440d86a2dae6897ddc7e69e75247cf39b82b1c979896a3d
eap7-activemq-artemis-commons-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 4a5c5b7fdcb7565544291841f2acaf418a08c677cd64b9f7fa474a835f27ef85
eap7-activemq-artemis-core-client-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 32ced4d605b2b5a417ca340b268a2c251fbe98634fab22ded7b4f1b4e35a8f6f
eap7-activemq-artemis-dto-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 514f49ba3450963fbb99a4c908dd9ea685c0152cc88fe57e14243a73ac3023eb
eap7-activemq-artemis-hornetq-protocol-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: f0676236a174e4dd4ed2d2265f461685254e838d4e8f4ef815c3146dd5f5a331
eap7-activemq-artemis-hqclient-protocol-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 851c6bf1897f1456329acd32d1766e3b34b09617d2f3f3630b50e707249de4fd
eap7-activemq-artemis-jms-client-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 5958059f915de8e20c240044296f15069cffad3da578b3b45060b28d3e5e57ad
eap7-activemq-artemis-jms-server-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: ebbb3109620af515354b48c5ee585616058d112963fc64d6f8feae83b5754f51
eap7-activemq-artemis-journal-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 3abc5a7a5507c630d4a985823159511c8a9abff5d55ccb22cfd5eef75b85ac56
eap7-activemq-artemis-native-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 3fe50fbccb47ecbf95239b13b8fb932ad82016460605e014133873e5bfef01aa
eap7-activemq-artemis-ra-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 22be211f389a536f3284be26a4af00a7378c6ac5d2bf1b3a381d205f623c8591
eap7-activemq-artemis-selector-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 12c0e9c9129dec30f79bcbb2c8c316dcde0fe2c7e7d5ef4284378e6ed11967ab
eap7-activemq-artemis-server-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 68c03a03a20ef572623c686ac57f778dc1b9bfb6bc6dcf704adf0ec576d4d524
eap7-activemq-artemis-service-extensions-1.1.0-19.SP24_redhat_1.1.ep7.el7.noarch.rpm SHA-256: eaa09c688ff21ceb22028e6fdc23b5034aebdb02e36af9dfa1f69ddc2cdd2594
eap7-hibernate-5.0.16-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 0ebb13c2cde800fb1bce4405ca7289924453e6b4dec1b18deb5a9b7488ce383b
eap7-hibernate-core-5.0.16-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: f143f00081aa9042395393c509b9d7567db198967dc431323d27f8332a520e0e
eap7-hibernate-entitymanager-5.0.16-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 43558dc86e44475aef6f15e05e1f089fe5de52199c669d1cfb68ebc21a0c1175
eap7-hibernate-envers-5.0.16-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 8014412fce15faafccea05b0f68b7acbaf8514496bbc1919de6984c14715bd24
eap7-hibernate-infinispan-5.0.16-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 3a2347f0f9a5897c939c235d51539ae7cbae7a9128ae2fe3f7d9433fa0dfa3be
eap7-hibernate-java8-5.0.16-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 6bc19a13799fd10e3f00453c72b7d95bb5207e5221c406bbc016599903764ba9
eap7-ironjacamar-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 1d9e63cc6a52f658397f29b126bdfc582b9058c63d908a03be07e3a93e93e662
eap7-ironjacamar-common-api-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 51667377305fc9c2c8e27d617384cf1097b0a47e3906b962e29907e947288f44
eap7-ironjacamar-common-impl-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 84aaba7884a3182d4c696589d9a4514bbd3429337157c2fcaee1117b8a6d739e
eap7-ironjacamar-common-spi-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 1561577c3e696892765841b330fb90faec329c835368268b83bcdd947941ab64
eap7-ironjacamar-core-api-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 76968434d4490413cd00ba3eea8dd553168696a7451c8ba993c3171687163fa4
eap7-ironjacamar-core-impl-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 2830807cbcc39d5a62659eba9bac7b0dc46a445813c47d784e057109d56eed79
eap7-ironjacamar-deployers-common-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 4a46cff1b6c66785d6ddf4cf13fbb3776e6685698c1c2e92f3290b8b46c1a6ab
eap7-ironjacamar-jdbc-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: d8d4c2abb58e4fd88fbf3e53c22cc2cacd4c19aff6a517739c0ce5d0dd7a755c
eap7-ironjacamar-validator-1.3.8-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: d765eda0854ad5d3030627d360e2000d0b2c380daadcd2228e78bd548ae4bb1e
eap7-jboss-remoting-4.0.25-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 68163c71ad84b986b7d4dfc4e46174d2137d13b7f8db77b04fcbaed1aacbedf9
eap7-jboss-xnio-base-3.4.7-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: a577188e6a8c124693110034dc42bba4495833470eebff5cd131ee51410f81cb
eap7-jgroups-3.6.12-1.Final_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 722abb1d669aa8317350acc888602c27e6fcd9a7c0e760796c199294d61baef1
eap7-resteasy-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: f3957a419da05428be2da906120ece55edbf77e68c54c2b258fda361f7a3e87c
eap7-resteasy-async-http-servlet-3.0-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: d38954bd8b6c1ab8bc641aea63d3ed7eb7394d280afb9a55b7a8ec8fa16681a5
eap7-resteasy-atom-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 985cfd6bb38a40606334895434ddd1361b364c84a4f8e79f016a607e6a1046f7
eap7-resteasy-cdi-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: d63dd7cc91fc0d91965e83c43d969ccdd81615b9802547fc8dc63ae40d9b68f7
eap7-resteasy-client-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 65a30eb8e57ace4e99f2af16fc5664f28359b2008b826832b06fc8223d46432c
eap7-resteasy-crypto-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: abc1167ae24bea526252ed43cb2c2b44e22f20374130ed32e6250afc0c2a0e0a
eap7-resteasy-jackson-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: f6fd0288d5fe6941d4a82e4e6e86ae02020f14bfcc76719e68aee98a6cae43e3
eap7-resteasy-jackson2-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 8e6810e09da095027be6b292c44a1796c72291523e3a67b962ee6466abed75d0
eap7-resteasy-jaxb-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 8ed433c6e9974d2d3858b4a9cc93584af468be45494ff7ed13b6021a0eef8473
eap7-resteasy-jaxrs-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 95eb238531034c1f019ab0c193c19cb41fe4cfdb71ec914ad6c6bd91b015ccc7
eap7-resteasy-jettison-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: c4393e6170c8416e3a4db8eff2a4cc698e82c240b3f147a5809d50cb1eb1b570
eap7-resteasy-jose-jwt-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 35416f2f6a98c4dd5a249e1813def42c35c797ee2a7b61a6df6faaf6762b997c
eap7-resteasy-jsapi-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 93226d00d32738e037d78d250deecd6b82d18b8705717dbb085ce964bc8f3b8c
eap7-resteasy-json-p-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 1797a8e82bfc7f1c127f533b7901426f0eb8315b7916a8096c065fddfb68fd48
eap7-resteasy-multipart-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: ead22453bb53f83913bb961a72fcb31130f1ec1f95a9230ebb29bf10d8fea466
eap7-resteasy-spring-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: f39336ead949ec09834bd0537b4a2787b822b022c75ed8e52a2031b94982a567
eap7-resteasy-validator-provider-11-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 0d6d4e8f867bc9ef55657260bc21bc3737a0bc000cc77844a5d3681272a6481d
eap7-resteasy-yaml-provider-3.0.19-7.SP5_redhat_1.1.ep7.el7.noarch.rpm SHA-256: 8421d93e109c6e0e909c80986f2864528bca123c87907db45a72ee48e9c2cab9
eap7-undertow-1.3.31-3.Final_redhat_3.1.ep7.el7.noarch.rpm SHA-256: 6f2457979070b6aa268d630c309d60f1f81fd64621ae58c3088bda0d19ede68c
eap7-wildfly-7.0.9-4.GA_redhat_3.1.ep7.el7.noarch.rpm SHA-256: 278580352cdaa0c0635fda70cce0c2fc2aae95eadaf6a9424c46be3de1dd6881
eap7-wildfly-javadocs-7.0.9-2.GA_redhat_3.1.ep7.el7.noarch.rpm SHA-256: ee6e330b6407be4d042a7db8c8fb78ae95856f230546b99b04309c4c7e04321a
eap7-wildfly-modules-7.0.9-4.GA_redhat_3.1.ep7.el7.noarch.rpm SHA-256: 2c2038b7a8d2981e3a8ce8ceb1780e3fa3b9407c52eb848fdf5d9f0efb654915

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter