Issued:: 2023-08-07
Updated:: 2023-08-07

RHSA-2023:4505 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Enterprise Application Platform security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.12 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.11 and includes
bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.12 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)
jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258

Affected Products

JBoss Enterprise Application Platform 7.4 for RHEL 7 x86_64

Fixes

BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
BZ - 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
BZ - 2209689 - CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling
JBEAP-24720 - Tracker bug for the EAP 7.4.12 release for RHEL-7
JBEAP-24711 - (7.4.z) Upgrade Jettison from 1.5.2.redhat-00002 to 1.5.4.redhat-x
JBEAP-24744 - [GSS](7.4.z) Upgrade Undertow from 2.2.24.SP1-redhat-00001 to 2.2.25.SP1
JBEAP-24745 - (7.4.z) Upgrade Elytron from 1.15.16.Final-redhat-00001 to 1.15.17.Final-redhat-00001
JBEAP-24790 - (7.4.z) Upgrade HAL from 3.3.17.Final-redhat-00001 to 3.3.18.Final-redhat-00001
JBEAP-24808 - [GSS](7.4.z) Upgrade WildFly Core from 15.0.26.Final-redhat-00001 to 15.0.27.Final-redhat-00001
JBEAP-24819 - [GSS](7.4.z) Upgrade Hibernate ORM from 5.3.29.Final-redhat-00001 to 5.3.30.Final-redhat-00001
JBEAP-24820 - [GSS](7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00012 to 2.5.5.SP12-redhat-00013
JBEAP-24821 - (7.4.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00014 to 2.5.5.SP12-redhat-00016
JBEAP-24822 - (7.4.z) Upgrade PicketLink version in PicketLink bindings.
JBEAP-24831 - [GSS](7.4.z) Upgrade xalan from 2.7.1.redhat-13 to 2.7.1.redhat-14
JBEAP-24832 - (7.4.z) Upgrade Jakarta Mail from 1.6.7.redhat-00001 to 1.6.7.redhat-00003
JBEAP-24835 - (7.4.z) Upgrade Jakarta activation from 1.2.2.redhat-00001 to 1.2.2.redhat-00002
JBEAP-24836 - (7.4.z) Upgrade jboss-ejb-client from 4.0.50.SP1-redhat-00001 to 4.0.53.Final-redhat-00001
JBEAP-24858 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00047 to 2.16.0.redhat-00048
JBEAP-24973 - (7.4.z) Upgrade insights-java-client from 1.0.1.redhat-00001 to 1.0.8.redhat-00001
JBEAP-25004 - (7.4.z) Upgrade runtimes-java-api from 1.0.8.redhat-00001 to 1.0.9.redhat-00001
JBEAP-25085 - [GSS](7.4.z) Upgrade Undertow from 2.2.25.SP1 to 2.2.25.SP2
JBEAP-25086 - [GSS](7.4.z) Upgrade WildFly Core from 15.0.27.Final-redhat-00001 to 15.0.28.Final-redhat-00001
JBEAP-25204 - [GSS](7.4.z) Upgrade Undertow from 2.2.25.SP2-redhat-00001 to 2.2.25.SP3
JBEAP-25205 - [GSS](7.4.z) Upgrade WildFly Core from 15.0.28.Final-redhat-00001 to 15.0.29.Final-redhat-00001

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Application Platform 7.4 for RHEL 7

SRPM
eap7-activemq-artemis-2.16.0-12.redhat_00048.1.el7eap.src.rpm	SHA-256: 41dabf9fddd11163b4906cda444ddb65ed9fb0133850a2ed2b5d5f7e27cc69f3
eap7-glassfish-jaf-1.2.2-2.redhat_00002.1.el7eap.src.rpm	SHA-256: f6413d143b244b1f8ddaf0e8b024c734abd3747fbd88dfaf7f44e4d35a35096a
eap7-glassfish-javamail-1.6.7-2.redhat_00003.1.el7eap.src.rpm	SHA-256: 01cf2fb6ccf8575720531a6dc6bc36d96d049eaee11a93e9bb84d83c9ad3706f
eap7-hal-console-3.3.18-1.Final_redhat_00001.1.el7eap.src.rpm	SHA-256: 7a3e1ab71ed79a4302d7936a778b6c623ead66f36fbc8f0a126d4d1c1bdc03f4
eap7-hibernate-5.3.30-1.Final_redhat_00001.1.el7eap.src.rpm	SHA-256: 87663b842c24fa5aac834c58752d823fe74bb6528488d46b06a2218956e7cb1c
eap7-insights-java-client-1.0.9-1.redhat_00001.1.el7eap.src.rpm	SHA-256: 9e1de52646914a0ad118bcd10191a9c0b09adccdff28bec31cf52a2b3676eab3
eap7-jboss-cert-helper-1.0.9-1.redhat_00001.1.el7eap.src.rpm	SHA-256: c3e497c8daad50b59008d56a81e41bf008dd0e109ef5771da75d97a014f3e09f
eap7-jboss-ejb-client-4.0.53-1.Final_redhat_00001.1.el7eap.src.rpm	SHA-256: bf5f22537823079785aadffdbb424fa6d3123bfad856602cd5f1b3878c6a870f
eap7-jboss-server-migration-1.10.0-30.Final_redhat_00029.1.el7eap.src.rpm	SHA-256: 29bbebc2aa7e1ddfc204026405a84d4f81bbad439bf3da726008843e7c867b29
eap7-jettison-1.5.4-1.redhat_00002.1.el7eap.src.rpm	SHA-256: ca059bef32cd2490801ec8b975b106fd7d03c79d94972cf33e7fff4f994d1de5
eap7-picketlink-bindings-2.5.5-27.SP12_redhat_00016.1.el7eap.src.rpm	SHA-256: 892e973b2c61e490263b452d2190a520bac6df1c9d488802eeab7d7970e7a932
eap7-picketlink-federation-2.5.5-23.SP12_redhat_00013.1.el7eap.src.rpm	SHA-256: 3d1216e4645b752e660b527b65ccf4130c67f7aa460b09bab5ee20983e54fe81
eap7-protostream-4.3.5-2.Final_redhat_00003.1.el7eap.src.rpm	SHA-256: aef72ac87a128d055d0c2df8e5e9e691328efe41b17e587ed4c90b84f60b63ee
eap7-undertow-2.2.25-3.SP3_redhat_00001.1.el7eap.src.rpm	SHA-256: 5d3e0eaa769f0aa4b66f8a2b51c42cae9a0450bb958e67160c49c896032dea97
eap7-wildfly-7.4.12-3.GA_redhat_00003.1.el7eap.src.rpm	SHA-256: bc39c09ea573f66eec84e5676a18fd51faf97a61577dd3d75a4bcb59eaca8e14
eap7-wildfly-elytron-1.15.17-1.Final_redhat_00001.1.el7eap.src.rpm	SHA-256: cf173a10b4d4b1bcf4ea25899f125a2cbf18f0983fe8b34ba029cfefa1b710f2
eap7-xalan-j2-2.7.1-36.redhat_00014.1.el7eap.src.rpm	SHA-256: d541337de83dfd0f89d51e88e1f37c856595aa20d9b40d40ec97cfdf6df0bdcb
x86_64
eap7-activemq-artemis-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: a7818506105da883d0f6d20c2fa3ee92ca0253c92c2e41d8e1537cc307d60e19
eap7-activemq-artemis-cli-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 93f0ffb4fb9cf79e79921b2f95dd428badfd216354183a98f86df73e1df884ed
eap7-activemq-artemis-commons-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 285f4755370b6785a2e8b9f17d6605bd983aa882b89c2d1fafda05cc1b989db9
eap7-activemq-artemis-core-client-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 6f49dad038d9999708717403ad671a0614deaa7c2c54713444edc1908e9ee7dc
eap7-activemq-artemis-dto-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 1e1876370785041bea8283ef8da7a4fcea54d9770054af2bd2b30464bb83deec
eap7-activemq-artemis-hornetq-protocol-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 326e06e4f3b1ca413cd26f4af5c9ac9e816938fd53b42c32400736196a8772a4
eap7-activemq-artemis-hqclient-protocol-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 0d41698f5ddb7b6f607337f075c567740045250f7c04d1ef7db9259312b17e40
eap7-activemq-artemis-jdbc-store-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 87a701637d83173bff90d50442609da14fa735b55c8d7759666199f79a4c9569
eap7-activemq-artemis-jms-client-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 86aa44ca768fc3bc843ec4c416491a96a508e5ba8e4385e3af1b07d17b0eb99c
eap7-activemq-artemis-jms-server-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: b3ea81b1c024d58f9c095d239c96e477fe95bfac0a5403fda830b3bcdcb95f21
eap7-activemq-artemis-journal-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 75f0d449f1f681db6dbdc40734c4f7be1051cb29fc514dc36d68088c42ff484d
eap7-activemq-artemis-ra-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 607ed624458a216265a27db3521f06bb071189b7df61faaa4b695097fa6cd617
eap7-activemq-artemis-selector-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 3f479e2a0821e875f0f8edbc0d5451c99431faebc1694599a9d828fe706e0091
eap7-activemq-artemis-server-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: b7d971742a58c2ea6727c740efdd58e2a9653b02c6fd7e4afce9f722741d61fb
eap7-activemq-artemis-service-extensions-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: efd6d087e1971819d31537bdfa872e862576cdc26c9fc6790ad40ee74e8da060
eap7-activemq-artemis-tools-2.16.0-12.redhat_00048.1.el7eap.noarch.rpm	SHA-256: 594a4c47e3f0fd72846d0494ae7fc941fe0ee6cb678f713d9e1fcff79ea00ccd
eap7-glassfish-jaf-1.2.2-2.redhat_00002.1.el7eap.noarch.rpm	SHA-256: 0004763613b889a029eb4fcf9c13f185752249b7e635bf5ccf5fc4c9369e3758
eap7-glassfish-javamail-1.6.7-2.redhat_00003.1.el7eap.noarch.rpm	SHA-256: 966e81a45a2c64c46b780b2fa16207dfd6c964537cac842e9bef914afa7f61ed
eap7-hal-console-3.3.18-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: cf9df5330ebd37c1073d4230a03809813802a33a6f80e566032040e566159a39
eap7-hibernate-5.3.30-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: bcb496fc3f938c2a41bd2c1e638dc74182dbb647ffbf8daf10792c516460bdc6
eap7-hibernate-core-5.3.30-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: 93307a625593b3b68cec9a1b9bcd264d09f49427f77e42c50b3c66770666be75
eap7-hibernate-entitymanager-5.3.30-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: e68e6f2294eed3e9d5a39a7ff8a25c3b32e315f0a5c5b671bc61bdec6cc62757
eap7-hibernate-envers-5.3.30-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: ba5a4fc68c717d48b94e9a61ed39d066ae4c7337607fa4022877aee967c62f99
eap7-hibernate-java8-5.3.30-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: 24db35be408387c24086bf22fabaa15a5f4adb6b25058c6dc0b6516ad1c121ab
eap7-insights-java-client-1.0.9-1.redhat_00001.1.el7eap.noarch.rpm	SHA-256: abf67a81e641403908ee8dd84450f8648e28d6cff8e5dcbd2cc5909786abd8b4
eap7-jboss-cert-helper-1.0.9-1.redhat_00001.1.el7eap.x86_64.rpm	SHA-256: 87bf8f23e66a8ee691258e7ea128ff5b16e53b783fc1d828297ebee98a12f22e
eap7-jboss-cert-helper-debuginfo-1.0.9-1.redhat_00001.1.el7eap.x86_64.rpm	SHA-256: 828be0a79efefef8c8b0985d1d79372377928e560b4446df9181450e89ea3d78
eap7-jboss-ejb-client-4.0.53-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: f7e6bfc258066a0e0a371ca3d23462d5c2a16add757ea7f37bceddf6a6870c4b
eap7-jboss-server-migration-1.10.0-30.Final_redhat_00029.1.el7eap.noarch.rpm	SHA-256: 032c202e7f59fc8a2fcfc3eb793874d35fff8ca1e592631d984682732b4f5fe4
eap7-jboss-server-migration-cli-1.10.0-30.Final_redhat_00029.1.el7eap.noarch.rpm	SHA-256: 8314e6ae21ae1c94657e6fcc3969b158b3b5c9ebae4f94d77b691409241a5071
eap7-jboss-server-migration-core-1.10.0-30.Final_redhat_00029.1.el7eap.noarch.rpm	SHA-256: 0ddc466d0d75e4f9a0bc617708c681cf7f2bd03e82ccd2530125ab54fbfe3cb8
eap7-jettison-1.5.4-1.redhat_00002.1.el7eap.noarch.rpm	SHA-256: 2eace624bce824d73674e8526709633fa32b21c3ffd8b0864652630b91180662
eap7-picketlink-api-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 2506c9333e4610709b47cf9c00a7c9911df9c06b430223e78af2ffda8ff195f1
eap7-picketlink-bindings-2.5.5-27.SP12_redhat_00016.1.el7eap.noarch.rpm	SHA-256: 21da893d7045f0a5f410e6d29bf3a0ed0b9985c0799b9948a70f75d0bac85e06
eap7-picketlink-common-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 6edc54ef338f648654ea7de76b387514a02e78aaeae0aaeaef7807a3c7b4bc7e
eap7-picketlink-config-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 1b5c5c4d39863bfedadc72162e0db612b52417ba928dfcc34e0ceb22ec2cc46d
eap7-picketlink-federation-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 674c246f745a7136d2a964c8df2f74833335eb40493d5da90adfba53712a9cc0
eap7-picketlink-idm-api-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 5b17f945f34b921211b0f277b3c734ac06451820a81a1f24f20d44e72278f4a3
eap7-picketlink-idm-impl-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 22b58f24366178ba61baee51fa3b8aa6e69467d8be5126097ea9a3d75b34f490
eap7-picketlink-idm-simple-schema-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 9ddab94a2d556fecf0e58a326c9d40dcdd52ef603eda7eb61b62073372e2cf2e
eap7-picketlink-impl-2.5.5-23.SP12_redhat_00013.1.el7eap.noarch.rpm	SHA-256: 01606354f8372a3856ebfa5f9895e230183bc1b61e99bad3d9fcf923bc946969
eap7-picketlink-wildfly8-2.5.5-27.SP12_redhat_00016.1.el7eap.noarch.rpm	SHA-256: be511dec584998b50b1afd9ad1847c172131a8a1029935cada221abeaf61cb99
eap7-protostream-4.3.5-2.Final_redhat_00003.1.el7eap.noarch.rpm	SHA-256: f7f17a592796d25cdcc5d08eca0acf3edcf1906093ff457f639cba7d6bc85912
eap7-undertow-2.2.25-3.SP3_redhat_00001.1.el7eap.noarch.rpm	SHA-256: 1abf52ca9545541900baa8d711f324c2a8af5b2e4b85f2e0003c932e8a3631ba
eap7-wildfly-7.4.12-3.GA_redhat_00003.1.el7eap.noarch.rpm	SHA-256: a38e69ca54c634c556809354e3becb5be4c72164d8efb75db7e97e258055e84b
eap7-wildfly-elytron-1.15.17-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: 32436f918c0344b6c31777e66ee737e541f24155a50eda7278fa30f643e9bb62
eap7-wildfly-elytron-tool-1.15.17-1.Final_redhat_00001.1.el7eap.noarch.rpm	SHA-256: cd6c572f95e8eef0fb4e96891c5cc3b063ae466f39ea4750cf1227a5b8f500c3
eap7-wildfly-java-jdk11-7.4.12-3.GA_redhat_00003.1.el7eap.noarch.rpm	SHA-256: 084fa83ad56189b3e81449f0d585fd369e611b4445590c6c4ff8e22fb822fb72
eap7-wildfly-java-jdk8-7.4.12-3.GA_redhat_00003.1.el7eap.noarch.rpm	SHA-256: 57e912aa2311a91c95dbbc28840bf85578b70dcba0d95b9f9d04620443eac418
eap7-wildfly-javadocs-7.4.12-3.GA_redhat_00003.1.el7eap.noarch.rpm	SHA-256: 113dbeed27e3d795cf2a20a4ba92bb47c27408b37cc0c01addb34d7ff23f11c2
eap7-wildfly-modules-7.4.12-3.GA_redhat_00003.1.el7eap.noarch.rpm	SHA-256: cd2a863d93a8a071369a6912077483e4e04f29631c98a8469079bc574310b2dc
eap7-xalan-j2-2.7.1-36.redhat_00014.1.el7eap.noarch.rpm	SHA-256: e4505325dd1f7906611eea95ad05437a6cda08935e41b521c44c6c0210e4eede

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation