Issued:
2018-04-03
Updated:
2018-04-03

RHSA-2018:0628 - Security Advisory

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.1 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on WildFly.

This asynchronous patch is a security update for slf4j package in Red Hat JBoss Enterprise Application Platform 7.1.

Security Fix(es):

  • An XML deserialization vulnerability was discovered in slf4j's EventData which accepts xml serialized string and can lead to arbitrary code execution. (CVE-2018-8088)

The Simple Logging Facade for Java or (SLF4J) is a simple facade for various
logging APIs allowing the end-user to plug in the desired implementation at
deployment time. SLF4J also allows for a gradual migration path away from
Jakarta Commons Logging (JCL).

Red Hat would like to thank Chris McCown for reporting CVE-2018-8088.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Application Platform 7.1 for RHEL 7 x86_64
  • JBoss Enterprise Application Platform 7.1 for RHEL 6 x86_64
  • JBoss Enterprise Application Platform 7.1 for RHEL 6 i386

Fixes

  • BZ - 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

CVEs

References

JBoss Enterprise Application Platform 7.1 for RHEL 7

SRPM
eap7-slf4j-1.7.22-3.redhat_2.1.ep7.el7.src.rpm SHA-256: 77d75e610d19a2439b39015268f8ddac7a2cc32236abe82cf22eb2d3183810fe
x86_64
eap7-jcl-over-slf4j-1.7.22-3.redhat_2.1.ep7.el7.noarch.rpm SHA-256: a982168e032e5b6ea4c0da4108e0f58b519f7bad3c09fe2954bde5c4514bc0de
eap7-slf4j-1.7.22-3.redhat_2.1.ep7.el7.noarch.rpm SHA-256: d358880abc4c899518374edbed461c54b23281a3a18fe0122d071b8443fbaa95
eap7-slf4j-api-1.7.22-3.redhat_2.1.ep7.el7.noarch.rpm SHA-256: 85b4314159d99a597f91cda2c986ab4264d486080361c9d84f2382f466fef827
eap7-slf4j-ext-1.7.22-3.redhat_2.1.ep7.el7.noarch.rpm SHA-256: 77233273e213b3f7d8037f7d30d16579cde80dc67c59f6e152be2a0192fdb8b5

JBoss Enterprise Application Platform 7.1 for RHEL 6

SRPM
eap7-slf4j-1.7.22-3.redhat_2.1.ep7.el6.src.rpm SHA-256: a3cb7abcf594bb7bc062ee3d0e2e428bef35e73cc72165f8de2a20b1e7715ad7
x86_64
eap7-jcl-over-slf4j-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: 257232eac05931f412c9fb68db66897f2284d577b5601de3599623c211cbfb3a
eap7-slf4j-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: 7e7f3bba97db8b10717b3dfeefd6c2ed3da14e3f74fd000509101ca8783bf197
eap7-slf4j-api-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: 65f5ea8553c5c38f750ed62e54b6170832d7011a98361ab7a76642400381129a
eap7-slf4j-ext-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: ed26a069b3425d0110f9bcfdf10e5607e4aa4428a11530c23d0a8b40b113abb1
i386
eap7-jcl-over-slf4j-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: 257232eac05931f412c9fb68db66897f2284d577b5601de3599623c211cbfb3a
eap7-slf4j-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: 7e7f3bba97db8b10717b3dfeefd6c2ed3da14e3f74fd000509101ca8783bf197
eap7-slf4j-api-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: 65f5ea8553c5c38f750ed62e54b6170832d7011a98361ab7a76642400381129a
eap7-slf4j-ext-1.7.22-3.redhat_2.1.ep7.el6.noarch.rpm SHA-256: ed26a069b3425d0110f9bcfdf10e5607e4aa4428a11530c23d0a8b40b113abb1

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.