Red Hat Product Errata RHSA-2023:0554 - Security Advisory

Issued:: 2023-01-31
Updated:: 2023-01-31

RHSA-2023:0554 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

jquery: Prototype pollution in object's prototype leading to denial of

service, remote code execution, or property injection (CVE-2019-11358)

jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute

(CVE-2018-14040)

jquery: Untrusted code execution via <option> tag in HTML passed to DOM

manipulation methods (CVE-2020-11023)

jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method

(CVE-2020-11022)

bootstrap: XSS in the data-target attribute (CVE-2016-10735)
bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy

(CVE-2018-14041)

sshd-common: mina-sshd: Java unsafe deserialization vulnerability

(CVE-2022-45047)

woodstox-core: woodstox to serialise XML data was vulnerable to Denial of

Service attacks (CVE-2022-40152)

bootstrap: Cross-site Scripting (XSS) in the data-container property of

tooltip (CVE-2018-14042)

bootstrap: XSS in the tooltip or popover data-template attribute

(CVE-2019-8331)

nodejs-moment: Regular expression denial of service (CVE-2017-18214)
wildfly-elytron: possible timing attacks via use of unsafe comparator

(CVE-2022-3143)

jackson-databind: use of deeply nested arrays (CVE-2022-42004)
jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS

(CVE-2022-42003)

jettison: parser crash by stackoverflow (CVE-2022-40149)
jettison: memory exhaustion via user-supplied XML or JSON data

(CVE-2022-40150)

jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

JBoss Enterprise Application Platform 7.4 for RHEL 9 x86_64

Fixes

BZ - 1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests
BZ - 1553413 - CVE-2017-18214 nodejs-moment: Regular expression denial of service
BZ - 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
BZ - 1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
BZ - 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
BZ - 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute
BZ - 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute
BZ - 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
BZ - 1850004 - CVE-2020-11023 jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods
BZ - 2124682 - CVE-2022-3143 wildfly-elytron: possible timing attacks via use of unsafe comparator
BZ - 2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks
BZ - 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
BZ - 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
BZ - 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
BZ - 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow
BZ - 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
BZ - 2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
BZ - 2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
JBEAP-23928 - Tracker bug for the EAP 7.4.9 release for RHEL-9
JBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001
JBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001
JBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001
JBEAP-24100 - [GSS](7.4.z) Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001
JBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value
JBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001
JBEAP-24132 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001
JBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001
JBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002
JBEAP-24191 - [GSS](7.4.z) Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001
JBEAP-24195 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001
JBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003
JBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2
JBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001
JBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001
JBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001
JBEAP-23865 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001
JBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Application Platform 7.4 for RHEL 9

SRPM
eap7-apache-sshd-2.9.2-1.redhat_00001.1.el9eap.src.rpm	SHA-256: c7cdd863a7915377c5edb1aac0701706fab30a2f0388f9f9854ad3cde8dd8fa7
eap7-elytron-web-1.9.3-1.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: 3190b3bf3ee57bca8154fb1e892c1be96d1621635cc5dea17496626a65068602
eap7-hal-console-3.3.16-1.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: c83395ebb915de1cc36ff3471be2fb3a619a70c26319e31c4a6528185490cc35
eap7-hibernate-search-5.10.13-3.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: 9a572a1bcbd8bfd6eca2e79e4b5210ad2cebd58cd1574b1dc909877a7a19c47e
eap7-ironjacamar-1.5.10-1.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: efb6337279bd51530d703691251eabf8363c05da5c5ce16a98b9392eed526e11
eap7-jackson-annotations-2.12.7-1.redhat_00003.1.el9eap.src.rpm	SHA-256: 80a3ca2ecd2de1a7dff9379d26359418f643bb6aded95f9e6361ad9427a1ea85
eap7-jackson-core-2.12.7-1.redhat_00003.1.el9eap.src.rpm	SHA-256: ba6df1605737e2ddcf4d3a1112694d2c30be66643a18c25d912ef619e7038c83
eap7-jackson-databind-2.12.7-1.redhat_00003.1.el9eap.src.rpm	SHA-256: d0e875ef6a2b717ddfae3533714d78007cbf123611df86dc4b6e92878bcb6462
eap7-jackson-jaxrs-providers-2.12.7-1.redhat_00003.1.el9eap.src.rpm	SHA-256: 67525be5280e549cdeb4192332a0b1b559ddd66ab37140829bb9d3a12faf9616
eap7-jackson-modules-base-2.12.7-1.redhat_00003.1.el9eap.src.rpm	SHA-256: 7672991509490563e8e71af43a5c40880f6108c334f66a70b75f3234a175cc7f
eap7-jackson-modules-java8-2.12.7-1.redhat_00003.1.el9eap.src.rpm	SHA-256: 69e39dddc9444aec7185ab4c693554ac859ad344e6dd3f9303c92120d91f0629
eap7-javaee-security-soteria-1.0.1-3.redhat_00003.1.el9eap.src.rpm	SHA-256: 38f50d90adaca7269865c6b31119546e304c0f6950b8b7c1ef78b24dfd356c05
eap7-jboss-ejb-client-4.0.49-1.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: 09ac8f23b97778722ad80212d6e28fa2406e5fcfd2a196379a6cacf507e18652
eap7-jboss-jsf-api_2.3_spec-3.0.0-6.SP07_redhat_00001.1.el9eap.src.rpm	SHA-256: 7213ced01ab2ebe75e98141489c0623949852e8475e7f12e651c9627abe1f687
eap7-jboss-jsp-api_2.3_spec-2.0.0-3.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: edd11eb84b39b3f38b49e81db5ce072268272a544d867f50b9e1a380cd9dca7d
eap7-jboss-remoting-5.0.27-1.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: dccb00b588206f8392c13ce3956996f934190994c257e52faad0451d7c4dc078
eap7-jboss-server-migration-1.10.0-24.Final_redhat_00023.1.el9eap.src.rpm	SHA-256: a1af2d02415f0b27b9fd995d44f953ff028897c991d48fac3424b46e63565694
eap7-jettison-1.5.2-1.redhat_00002.1.el9eap.src.rpm	SHA-256: e7406385a872e4b3cc666d35a79875666e6627da65e8826d8b89722f5ba77950
eap7-undertow-2.2.22-1.SP3_redhat_00001.1.el9eap.src.rpm	SHA-256: 520bcbf7c41be36714f7a1d5275808bf5147e4bb537be3faf92639eeb4f28171
eap7-wildfly-7.4.9-4.GA_redhat_00003.1.el9eap.src.rpm	SHA-256: b36d76ce6f62444f5d9273708bca55ac035279b075395448766be1fa861f12d6
eap7-wildfly-elytron-1.15.16-1.Final_redhat_00001.1.el9eap.src.rpm	SHA-256: 8594bcb68f341f5ba577ed7a05d827b01808c79cea8efdcfe3873eef11c31c60
eap7-woodstox-core-6.4.0-1.redhat_00001.1.el9eap.src.rpm	SHA-256: 7ced4803d3fe8379ea3e4e0e6fa9378d3649700dace0cde047ed0b429f75a1c3
x86_64
eap7-apache-sshd-2.9.2-1.redhat_00001.1.el9eap.noarch.rpm	SHA-256: efdec6bbb49f6f943342e5fab8c0647a47bb84107816d8bdc86e812d1052c0bd
eap7-hal-console-3.3.16-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 6cb874d2a50c454902357f18ae3288a89ba5b8621400586fa687e77c4be319ff
eap7-hibernate-search-5.10.13-3.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 0054a4c701ccab52f9836aaaa50d387f681bc24e07177ff2136b393cdc9f367e
eap7-hibernate-search-backend-jgroups-5.10.13-3.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 9e07dd7d95160c67afe8deefbcd686668384410faa07bd1e0f2bb2cf545b9e66
eap7-hibernate-search-backend-jms-5.10.13-3.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 0a6ca7bff23ae61c091565f8c3c88eb6d8ef4dd581d56b093a7b19de17be4689
eap7-hibernate-search-engine-5.10.13-3.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 4047cc57510034d9236b3d9b5b9eb387f095b9ba4e23549b89d441624c5ddf6e
eap7-hibernate-search-orm-5.10.13-3.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 3eabdae63792bdd52252a69da80677be4d8ea42541e54dd96e2859b1817aba98
eap7-hibernate-search-serialization-avro-5.10.13-3.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 9e4963e8dd9800256dd5331a1e714f70152d83d2e18593ef6e4f93179d0e6d07
eap7-ironjacamar-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 1a77b780e531e5d2c2cc1817c357efc648710f602b020b36297dccaae83b02e7
eap7-ironjacamar-common-api-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 0a4bc8e4cfae10ae4873c1b7549b72d4121199fd82615dbd41a1d445cb2ce238
eap7-ironjacamar-common-impl-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: c77a3598ab4f69b28e5c7fd8ff4c102219d6c1e951ed01ed07abbb62a751e3c3
eap7-ironjacamar-common-spi-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 1bad68eb5d0096eb836d35fd6f8336cc433f63d032c1eddb19020d861e0b2aeb
eap7-ironjacamar-core-api-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 6bb0216a811633460081b72431136148986d8a7556739546f77ca7cebd9bd583
eap7-ironjacamar-core-impl-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 5943a9d736d3889d4a01c8f104941a944b58371b48c36e556a01a59e0ab1bcd3
eap7-ironjacamar-deployers-common-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 030685a9ce3061041d0a310c3b80ff28f7644822df4d5bc7412618359a65d0f6
eap7-ironjacamar-jdbc-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: a7bd8910bc29054be851a8508d94aa15cb98cad7bf61149de0b45b3fb21c5931
eap7-ironjacamar-validator-1.5.10-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 241f6b81fb97415eb84b0572d6a42fcbf07f6d6dbde4896aedc2b7d406af0353
eap7-jackson-annotations-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: a1974a686227c8987e73d2836591b16bce0abe4c961b8f17049b612f6321ad84
eap7-jackson-core-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: 262e5bc0f4891ab2a58d9ac89bc3fbf5385afc111cd382f15bf29f9bc0f37107
eap7-jackson-databind-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: 2ea70c82c7ca37fcafa006a1aa28f62e23b8704849ade29d7cfb5928bf6a1d56
eap7-jackson-datatype-jdk8-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: c11eafecf19ee3c8f97396df1ab539ab0b401ce723f2936565553cc170e55e52
eap7-jackson-datatype-jsr310-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: cfbd6c524c39a2a05df70dda44860947eabc47d687ea310f0d263466717e3e96
eap7-jackson-jaxrs-base-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: f2f3156621d30fa3db6f97975c96e3afe76c18104535b06f13b89f3cd107220e
eap7-jackson-jaxrs-json-provider-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: 4c675980d430470f6adf0db9fd66a0b89674df6cd99d4f8ecbd250f80e34889c
eap7-jackson-module-jaxb-annotations-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: 5dfccec451e6e4df0692df5e723a76a508a7586d82f63188593ed51007d9ca0b
eap7-jackson-modules-base-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: 49558f7e6f08b439e41bd63d7b3a6918fb0072531dfe8efeb3739e6e50201f0a
eap7-jackson-modules-java8-2.12.7-1.redhat_00003.1.el9eap.noarch.rpm	SHA-256: 070a2f74848cdab121a34e79d9c1dc7306d8db3203ee410a7fea7067fe057a55
eap7-javaee-security-soteria-1.0.1-3.redhat_00003.1.el9eap.noarch.rpm	SHA-256: 932d5c7ea6c14beaed4e4e9b1a1ebc3fd13f7d93b192c19a1e50abcb45dadd13
eap7-javaee-security-soteria-enterprise-1.0.1-3.redhat_00003.1.el9eap.noarch.rpm	SHA-256: b2732d0f330581876bde57283774c8b712ba4d89fc474095567e5a936e9d0ec7
eap7-jboss-ejb-client-4.0.49-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: cc593bfd0a194a3b7ca64742ca530b9be835e26a877e8c0ac4616ea2c76f8f43
eap7-jboss-jsf-api_2.3_spec-3.0.0-6.SP07_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 9283a24a8302c543b74da150052c2e26866b2644f0de90553ad11b329c3babd9
eap7-jboss-jsp-api_2.3_spec-2.0.0-3.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 7d0ae5729aee83146ba9317fd84071d8751a9873e8d2cc1f1b3dd6a9f4beda66
eap7-jboss-remoting-5.0.27-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: b0b0e1fd2db3b75b2d2de28d472d23738faa46b1918ac0b12ef6e771f8fb7b08
eap7-jboss-server-migration-1.10.0-24.Final_redhat_00023.1.el9eap.noarch.rpm	SHA-256: 3a31d15b0bed341980d37735c1c9e8c6e6d3cb43bda2dcd48f6f3129cf9c8df6
eap7-jboss-server-migration-cli-1.10.0-24.Final_redhat_00023.1.el9eap.noarch.rpm	SHA-256: 0b26200db900c80dd72b0b861c61076843105237900978f355a55bbf99395c0f
eap7-jboss-server-migration-core-1.10.0-24.Final_redhat_00023.1.el9eap.noarch.rpm	SHA-256: 0eba94abdfaa38084abfeaba5db1a5344c0796f983c44ab77f5b807476bfd40c
eap7-jettison-1.5.2-1.redhat_00002.1.el9eap.noarch.rpm	SHA-256: 886cf20323008e3b17c119479fb2f2f8ba5ca2373af8e363c735ad6761bbfd07
eap7-undertow-2.2.22-1.SP3_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 441c75f03fadf405a1032d55dbe9abd299f3938b1fe5d8aa70971e4d1a606f55
eap7-undertow-server-1.9.3-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: faa366159f9224bd73f11875bef786a8c1af3dffcb0447ddabcc32ec6b0ad910
eap7-wildfly-7.4.9-4.GA_redhat_00003.1.el9eap.noarch.rpm	SHA-256: 2c549fdc4114c19c7fefaaac0c36b908ba618daabfe908a501079327114efce2
eap7-wildfly-elytron-1.15.16-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: c28938bb16fe0637c0a2b36165c0a639a3fceb9b43db3335e95dacab05ac707d
eap7-wildfly-elytron-tool-1.15.16-1.Final_redhat_00001.1.el9eap.noarch.rpm	SHA-256: 8ec9f108c2692b3570591b197b14e881bf2ae43268070d6597a1bc6b1d264e9e
eap7-wildfly-javadocs-7.4.9-4.GA_redhat_00003.1.el9eap.noarch.rpm	SHA-256: 52fe330c956502a63ada897e3ed63d033bb52a54c6d0552d079eb1b495ed1406
eap7-wildfly-modules-7.4.9-4.GA_redhat_00003.1.el9eap.noarch.rpm	SHA-256: 36d2132865da0c8d59f5aebe01e958b865a0af83bea98da0334cac2257be80a5
eap7-woodstox-core-6.4.0-1.redhat_00001.1.el9eap.noarch.rpm	SHA-256: 85c2e31d21a688317a3683ea6a73818b755311b83524fbfb58022c4783641bd9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation