Red Hat Product Errata RHSA-2023:0553 - Security Advisory
Issued:
2023-01-31
Updated:
2023-01-31

RHSA-2023:0553 - Security Advisory

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

  • jquery: Prototype pollution in object's prototype leading to denial of

service, remote code execution, or property injection (CVE-2019-11358)

  • jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
  • bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute

(CVE-2018-14040)

  • jquery: Untrusted code execution via <option> tag in HTML passed to DOM

manipulation methods (CVE-2020-11023)

  • jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method

(CVE-2020-11022)

  • bootstrap: XSS in the data-target attribute (CVE-2016-10735)
  • bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy

(CVE-2018-14041)

  • sshd-common: mina-sshd: Java unsafe deserialization vulnerability

(CVE-2022-45047)

  • woodstox-core: woodstox to serialise XML data was vulnerable to Denial of

Service attacks (CVE-2022-40152)

  • bootstrap: Cross-site Scripting (XSS) in the data-container property of

tooltip (CVE-2018-14042)

  • bootstrap: XSS in the tooltip or popover data-template attribute

(CVE-2019-8331)

  • nodejs-moment: Regular expression denial of service (CVE-2017-18214)
  • wildfly-elytron: possible timing attacks via use of unsafe comparator

(CVE-2022-3143)

  • jackson-databind: use of deeply nested arrays (CVE-2022-42004)
  • jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

(CVE-2022-42003)

  • jettison: parser crash by stackoverflow (CVE-2022-40149)
  • jettison: memory exhaustion via user-supplied XML or JSON data

(CVE-2022-40150)

  • jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
  • CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Application Platform 7.4 for RHEL 8 x86_64

Fixes

  • BZ - 1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests
  • BZ - 1553413 - CVE-2017-18214 nodejs-moment: Regular expression denial of service
  • BZ - 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
  • BZ - 1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
  • BZ - 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
  • BZ - 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
  • BZ - 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
  • BZ - 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
  • BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
  • BZ - 1850004 - CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods
  • BZ - 2124682 - CVE-2022-3143 wildfly-elytron: possible timing attacks via use of unsafe comparator
  • BZ - 2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
  • BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
  • BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
  • BZ - 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
  • BZ - 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow
  • BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
  • BZ - 2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
  • BZ - 2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
  • JBEAP-23927 - Tracker bug for the EAP 7.4.9 release for RHEL-8
  • JBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001
  • JBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001
  • JBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001
  • JBEAP-24100 - [GSS](7.4.z) Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001
  • JBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value
  • JBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001
  • JBEAP-24132 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001
  • JBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001
  • JBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002
  • JBEAP-24191 - [GSS](7.4.z) Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001
  • JBEAP-24195 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001
  • JBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003
  • JBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2
  • JBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001
  • JBEAP-23865 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001
  • JBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001
  • JBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001
  • JBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001

JBoss Enterprise Application Platform 7.4 for RHEL 8

SRPM
eap7-apache-sshd-2.9.2-1.redhat_00001.1.el8eap.src.rpm SHA-256: c7fa8b7d1d27057962197560919aea26feb0c4c52b05841a7e2f29fe2925db31
eap7-elytron-web-1.9.3-1.Final_redhat_00001.1.el8eap.src.rpm SHA-256: 909346bf8289392a1b62ab67c977a81e6dfa6688dfaa605035f0cca711b34737
eap7-hal-console-3.3.16-1.Final_redhat_00001.1.el8eap.src.rpm SHA-256: d0c01ab7c63c1de12819b977a37f4cd43313c9b438152be91d32c9d32fe84338
eap7-hibernate-search-5.10.13-3.Final_redhat_00001.1.el8eap.src.rpm SHA-256: 6533daec78811acba4c5dca875217fb660fd02acefcb5cd57be23cccc93fc62e
eap7-ironjacamar-1.5.10-1.Final_redhat_00001.1.el8eap.src.rpm SHA-256: 49bd5d51f20f42d9d4d2614e8d8b72e042a3f5411322f7a8bc82306cd028a3bd
eap7-jackson-annotations-2.12.7-1.redhat_00003.1.el8eap.src.rpm SHA-256: fcf26415f74434543f0dbf88ccc864fd40f059b2df6d0b42257a6d1f9d5373fc
eap7-jackson-core-2.12.7-1.redhat_00003.1.el8eap.src.rpm SHA-256: d31c434675c837e85cb6ee7939488bfc4c73445f6d75cc5feab369c6a0284278
eap7-jackson-databind-2.12.7-1.redhat_00003.1.el8eap.src.rpm SHA-256: c99b04511e91883d09e2c421759f627a5e4737de87670cf362fed0ac5b5a51d9
eap7-jackson-jaxrs-providers-2.12.7-1.redhat_00003.1.el8eap.src.rpm SHA-256: 16b6335967a6c6c2cdd2212c70effb11b7a3fb1cc3c78e0fc3a6fc369a6ad032
eap7-jackson-modules-base-2.12.7-1.redhat_00003.1.el8eap.src.rpm SHA-256: d5891da1067b03fde68b187662c0d09d7a55847c982293e38024f128a7433234
eap7-jackson-modules-java8-2.12.7-1.redhat_00003.1.el8eap.src.rpm SHA-256: a48defc4e049de8d572b2f744fc21b82d323a1db7340f03efad9e0ac420cda59
eap7-javaee-security-soteria-1.0.1-3.redhat_00003.1.el8eap.src.rpm SHA-256: 1c7a1f5deec434c222d8e4b450aefb66e793c269dd2309b3223e2c018be30932
eap7-jboss-ejb-client-4.0.49-1.Final_redhat_00001.1.el8eap.src.rpm SHA-256: c05ab50d5a415483513dc7f0a2f765a668fd325a7240b6682423e9e41fd68220
eap7-jboss-jsf-api_2.3_spec-3.0.0-6.SP07_redhat_00001.1.el8eap.src.rpm SHA-256: 4a0fdf594855f0443525b6334f26e73c89364909d6ce84fba44100a9898a81b0
eap7-jboss-jsp-api_2.3_spec-2.0.0-3.Final_redhat_00001.1.el8eap.src.rpm SHA-256: 215d40164f75f6470484e9d9b824a1e3667efc9ec25b4163d97b2e6a10d19595
eap7-jboss-remoting-5.0.27-1.Final_redhat_00001.1.el8eap.src.rpm SHA-256: 140d6dd9f3a3e4843fa01d70a34c1cca23d52bf5b735dff0c8cab5423b72d4fa
eap7-jboss-server-migration-1.10.0-24.Final_redhat_00023.1.el8eap.src.rpm SHA-256: 7ad656253d5fb1b3bdb2ea03f022e0765ffa7c3debdde64b8bbef71c2a0d96cd
eap7-jettison-1.5.2-1.redhat_00002.1.el8eap.src.rpm SHA-256: 6c98f4e6b8726811480cafc508d296601dd26afb93a622ac0e2f45fa3bf373e4
eap7-undertow-2.2.22-1.SP3_redhat_00001.1.el8eap.src.rpm SHA-256: 3f21056be117cfe6f1d10e2cd067faa133fc53edf1cd4cb69a766cfbf699fa91
eap7-wildfly-7.4.9-4.GA_redhat_00003.1.el8eap.src.rpm SHA-256: d48e3c8f592bf689cb07a2fc3dd7d7182130c8806ceb118da5f31280da91b5e8
eap7-wildfly-elytron-1.15.16-1.Final_redhat_00001.1.el8eap.src.rpm SHA-256: 164654360e3e464d9db1622b03968100389f190aeb525f97b7d23d479b496470
eap7-woodstox-core-6.4.0-1.redhat_00001.1.el8eap.src.rpm SHA-256: d16c66bbd7f2fa5a9a272270b0184be670edf466337e10d84b76d36036708abf
x86_64
eap7-apache-sshd-2.9.2-1.redhat_00001.1.el8eap.noarch.rpm SHA-256: ae0b9864fd9577d7ffb3e2d3badac96ab220ea0623ee66695ca3f509468ff8ce
eap7-hal-console-3.3.16-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 7c3d28e8acda0db8eb0c54a7435c0cdfdcdac3b9d4348ac53df09d3900a76549
eap7-hibernate-search-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: a16756020a81fb4323a3087ca29d570a0090821dd81ae0da9a32b51bd352657c
eap7-hibernate-search-backend-jgroups-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 24d43593458cde8221630450330245ef19e201365d472cedd5bf3dbb5cad59ea
eap7-hibernate-search-backend-jms-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 6d55c5a4b422730ecb9bc35955d48d87b139af2560e2b41ec6c35c2edf37ac82
eap7-hibernate-search-engine-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 6aaf4c1622e83e13c872a400cd39270b6deb6305529fd328defa5f5ad4ebb8c1
eap7-hibernate-search-orm-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: c8b2df9f90c1ef20de4c36dff2693b007b146bd4bfac2c95d77735dc756af4fe
eap7-hibernate-search-serialization-avro-5.10.13-3.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 3827ef73b7654294af2eff01e2404b88a1746f72b28cff6acdd308f264e678b3
eap7-ironjacamar-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 5076ed83300e77674c6d000f2e8b34c81418ac9b7ef3ad80df20fee73fe03a90
eap7-ironjacamar-common-api-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: d8edec1e364de6c8b2a6d55509b88138ef01e85012ca672a1398984e7e0b246b
eap7-ironjacamar-common-impl-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 2e1b3593b76902bada58fcbd83e11528357497c560ac3f71a6ce952347c0d639
eap7-ironjacamar-common-spi-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 037bebbc9a9c668a482fdec252405aa8dd90925daccdb47d79f59c7bce00f826
eap7-ironjacamar-core-api-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 393a1595aec1ba97cf758c000938b73fdcfb44e5d8dde194c457c788b6b4e181
eap7-ironjacamar-core-impl-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 67c59609a63c09c3fe4907ff04f5501ad2af95cae0b23999cf0f12a6ff44483d
eap7-ironjacamar-deployers-common-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: c1bf8367221583dcac95b0caa1435fac04d5a25f1e40bdb4bce1d0c134501e8c
eap7-ironjacamar-jdbc-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: c465324498ef5d91ef3a402c7df7b8d86900e532ddde4bcb970a4b24474c9ab1
eap7-ironjacamar-validator-1.5.10-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: af228dfa94a26240e2ce9efe62e1e3dcd6bfa6bc32a68f3f822f3fd366ec2bdd
eap7-jackson-annotations-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: ac2b36e91d95cd09180928180e101bb37d4fbdcd604307dd42d703bd80572f0b
eap7-jackson-core-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: ccf24cf2c0e998cb5cfb44c13e260de8de17dd391d26314f5f5d84951d1534b7
eap7-jackson-databind-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: 340db8e0389f90face3913bc792d640b8603b1bb53759126a6891bbdd341d7f0
eap7-jackson-datatype-jdk8-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: 61e6c7473f79f83f89a576cccad7ba1ffbdf6ac7c5d6e036c6f27367c4fc241e
eap7-jackson-datatype-jsr310-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: c19d14b1c7b29a555d55f37adba7bea9ebfb77b1e07d29cb3e38200b032ecca5
eap7-jackson-jaxrs-base-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: f0049acd65638ea7b4d80ba329a880aba3e57b903bc4564dec8bb812e02c7826
eap7-jackson-jaxrs-json-provider-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: ab7e9bef635eba4522870f0d80631c562745277b266415fffe6fb25a0fe07a00
eap7-jackson-module-jaxb-annotations-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: 8494bcab4953e41d50ab06c2308718a0766a591eda6e3b8aa4a1ac8b04935429
eap7-jackson-modules-base-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: dfda7ae9676debc829867abb2cc9973a09cfafd558e485d85746befb9cf8a950
eap7-jackson-modules-java8-2.12.7-1.redhat_00003.1.el8eap.noarch.rpm SHA-256: 46c4f976f135d915dae542a8039a8ec24719d3c36fd575eeda0d1a45739eda8b
eap7-javaee-security-soteria-1.0.1-3.redhat_00003.1.el8eap.noarch.rpm SHA-256: 46cbb6e6c8d6de670af9b89ca428ebcaf2d98a59411fa413270beae12bc22172
eap7-javaee-security-soteria-enterprise-1.0.1-3.redhat_00003.1.el8eap.noarch.rpm SHA-256: 979832bfd0614bdcc02e1c94261c3cbf7a7ad7c3a53abe1d89d9196e6d0115f5
eap7-jboss-ejb-client-4.0.49-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 157126e830f3764ec75b286d647f9709d58acc8e9858d5791602ab7c8ac1741c
eap7-jboss-jsf-api_2.3_spec-3.0.0-6.SP07_redhat_00001.1.el8eap.noarch.rpm SHA-256: 2039f82e81b29fb9c722eba0dfad1dc81c4b9d871ba065c8569a887962a50b54
eap7-jboss-jsp-api_2.3_spec-2.0.0-3.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: e9c643f4f9e5fdbe5525f1e92dcb12f95db219ac52543f6aec6bdec59fac0b2f
eap7-jboss-remoting-5.0.27-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: e42c8515a27d472432f22df5a66d507dcff832cf46010e9dd8ac18e3618c8703
eap7-jboss-server-migration-1.10.0-24.Final_redhat_00023.1.el8eap.noarch.rpm SHA-256: 8a70fea05499bd0255232f33d39275aacdaee0d652d010804b5ed2030ed25ce4
eap7-jboss-server-migration-cli-1.10.0-24.Final_redhat_00023.1.el8eap.noarch.rpm SHA-256: 2fbc7af31adf59cb00335630f017bf69952c9e6c3842d34cafebaed7e87d941c
eap7-jboss-server-migration-core-1.10.0-24.Final_redhat_00023.1.el8eap.noarch.rpm SHA-256: 94ed36dc35a31468099a9c1184490f992b39c8ebf006a28ab19ecacbfaa5eb0f
eap7-jettison-1.5.2-1.redhat_00002.1.el8eap.noarch.rpm SHA-256: ae95e2c54f1451c36dca32112f4348ea53e821d22f729359ab265e4081958f92
eap7-undertow-2.2.22-1.SP3_redhat_00001.1.el8eap.noarch.rpm SHA-256: 74c8f8b99fe0fc21ee8f125755e41688c002bbab435aeda397191c06b5acb520
eap7-undertow-server-1.9.3-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 26a2a71bec4f67ae23fc7723bf4ab562739abe60c028c301bf645fe7c61f4d51
eap7-wildfly-7.4.9-4.GA_redhat_00003.1.el8eap.noarch.rpm SHA-256: 175e3d4e55302a633f8e85bc8ac6b298843ac9059d744f310ed82d5df1ff702a
eap7-wildfly-elytron-1.15.16-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: ac0cb3adf76f3f46354f6960d6f1955935f6a0106db6e047291499a5544faf1a
eap7-wildfly-elytron-tool-1.15.16-1.Final_redhat_00001.1.el8eap.noarch.rpm SHA-256: 4cb1ceaa83c881aca751f83a5c634d4c40e74a471987c3ca10c5a42114e4f1a6
eap7-wildfly-javadocs-7.4.9-4.GA_redhat_00003.1.el8eap.noarch.rpm SHA-256: 6c37661518fcc626f5dfdfc8c4d124755f9ac2face52d4e9781836a6577bf82f
eap7-wildfly-modules-7.4.9-4.GA_redhat_00003.1.el8eap.noarch.rpm SHA-256: bf1316deacdb226b0e002e30032a97f0a58efb4c03d26420999f5e7106d7d0ce
eap7-woodstox-core-6.4.0-1.redhat_00001.1.el8eap.noarch.rpm SHA-256: 3e0ab5bc98e4a16cfc9cbba9286e9e9bfae25d65dacbe7ed4f841c24e836f8f3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.