Red Hat Product Errata RHSA-2023:4507 - Security Advisory
Issued:
2023-08-07
Updated:
2023-08-07

RHSA-2023:4507 - Security Advisory

Synopsis

Important: Red Hat JBoss Enterprise Application Platform security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.12 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.11 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.12 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

  • undertow: OutOfMemoryError due to @MultipartConfig handling (CVE-2023-3223)
  • jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
  • jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Application Platform 7.4 for RHEL 9 x86_64

Fixes

  • BZ - 2182788 - CVE-2023-1436 jettison: Uncontrolled Recursion in JSONArray
  • BZ - 2185707 - CVE-2021-46877 jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode
  • BZ - 2209689 - CVE-2023-3223 undertow: OutOfMemoryError due to @MultipartConfig handling
  • JBEAP-24722 - Tracker bug for the EAP 7.4.12 release for RHEL-9
  • JBEAP-24711 - (7.4.z) Upgrade Jettison from 1.5.2.redhat-00002 to 1.5.4.redhat-x
  • JBEAP-24744 - [GSS](7.4.z) Upgrade Undertow from 2.2.24.SP1-redhat-00001 to 2.2.25.SP1
  • JBEAP-24745 - (7.4.z) Upgrade Elytron from 1.15.16.Final-redhat-00001 to 1.15.17.Final-redhat-00001
  • JBEAP-24790 - (7.4.z) Upgrade HAL from 3.3.17.Final-redhat-00001 to 3.3.18.Final-redhat-00001
  • JBEAP-24808 - [GSS](7.4.z) Upgrade WildFly Core from 15.0.26.Final-redhat-00001 to 15.0.27.Final-redhat-00001
  • JBEAP-24819 - [GSS](7.4.z) Upgrade Hibernate ORM from 5.3.29.Final-redhat-00001 to 5.3.30.Final-redhat-00001
  • JBEAP-24820 - [GSS](7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00012 to 2.5.5.SP12-redhat-00013
  • JBEAP-24821 - (7.4.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00014 to 2.5.5.SP12-redhat-00016
  • JBEAP-24822 - (7.4.z) Upgrade PicketLink version in PicketLink bindings.
  • JBEAP-24831 - [GSS](7.4.z) Upgrade xalan from 2.7.1.redhat-13 to 2.7.1.redhat-14
  • JBEAP-24832 - (7.4.z) Upgrade Jakarta Mail from 1.6.7.redhat-00001 to 1.6.7.redhat-00003
  • JBEAP-24835 - (7.4.z) Upgrade Jakarta activation from 1.2.2.redhat-00001 to 1.2.2.redhat-00002
  • JBEAP-24836 - (7.4.z) Upgrade jboss-ejb-client from 4.0.50.SP1-redhat-00001 to 4.0.53.Final-redhat-00001
  • JBEAP-24858 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00047 to 2.16.0.redhat-00048
  • JBEAP-24973 - (7.4.z) Upgrade insights-java-client from 1.0.1.redhat-00001 to 1.0.8.redhat-00001
  • JBEAP-25004 - (7.4.z) Upgrade runtimes-java-api from 1.0.8.redhat-00001 to 1.0.9.redhat-00001
  • JBEAP-25085 - [GSS](7.4.z) Upgrade Undertow from 2.2.25.SP1 to 2.2.25.SP2
  • JBEAP-25086 - [GSS](7.4.z) Upgrade WildFly Core from 15.0.27.Final-redhat-00001 to 15.0.28.Final-redhat-00001
  • JBEAP-25204 - [GSS](7.4.z) Upgrade Undertow from 2.2.25.SP2-redhat-00001 to 2.2.25.SP3
  • JBEAP-25205 - [GSS](7.4.z) Upgrade WildFly Core from 15.0.28.Final-redhat-00001 to 15.0.29.Final-redhat-00001

JBoss Enterprise Application Platform 7.4 for RHEL 9

SRPM
eap7-activemq-artemis-2.16.0-12.redhat_00048.1.el9eap.src.rpm SHA-256: 0af43a0cddd3c396552d011d6195b643a4f5c5ffd5640aa8f171c807249a1cd8
eap7-glassfish-jaf-1.2.2-2.redhat_00002.1.el9eap.src.rpm SHA-256: ccf9feb0ed99a3dbbd5dd9561254937bd9177aa65afb812e6a32feb9868a9dc9
eap7-glassfish-javamail-1.6.7-2.redhat_00003.1.el9eap.src.rpm SHA-256: 1e433b1553d98264cf80436fa5d99d63403ae71141bd789e4a5de17a5b03916f
eap7-hal-console-3.3.18-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: 471c0633243e05339671bc40e9df723a9f9dcfa40bced52d85885ff519941cb9
eap7-hibernate-5.3.30-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: 68de4f2719240d86bc38fa0de58d523d1868966cd101decd5865529a2f19f372
eap7-insights-java-client-1.0.9-1.redhat_00001.1.el9eap.src.rpm SHA-256: b9ae5f559287596ba58bf96a9c23ea5ad26a33793a4abba0ecea72c5125a12e9
eap7-jboss-cert-helper-1.0.9-1.redhat_00001.1.el9eap.src.rpm SHA-256: 43139ae112930f33c790a0133b32bc782e43ce10d34f320ca5871cbe84b5ecb8
eap7-jboss-ejb-client-4.0.53-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: 34cf392081147bdfe3308802a937014c055a5fc474468fed0293174fc9f60aed
eap7-jboss-server-migration-1.10.0-30.Final_redhat_00029.1.el9eap.src.rpm SHA-256: 2ef752a2de579faeae8d9bb3b01b3c72a2d315d0b7faf9f7aabb5566328df1d8
eap7-jettison-1.5.4-1.redhat_00002.1.el9eap.src.rpm SHA-256: dc0e904bd8157be6d2f1ee60b1bec7c451915a113b70a1c5b7ffe482e4bea59b
eap7-picketlink-bindings-2.5.5-27.SP12_redhat_00016.1.el9eap.src.rpm SHA-256: c4904ce70f6c6204ccfcff21ebe17ad5a331bac94e7b5eb6c599174715e6296f
eap7-picketlink-federation-2.5.5-23.SP12_redhat_00013.1.el9eap.src.rpm SHA-256: 31e57bef615cdb74df51d1a05fc2728042a519d1f832f4215cdb0865730ad5ce
eap7-protostream-4.3.5-2.Final_redhat_00003.1.el9eap.src.rpm SHA-256: c021f7caf2ff685d7066147dd2fb73343c33537dc1bc4aa8512287053d7e86a1
eap7-undertow-2.2.25-3.SP3_redhat_00001.1.el9eap.src.rpm SHA-256: 26d64d3bca49204130d7b6af81c787bc37f0a801da3664c56849f57b842abe59
eap7-wildfly-7.4.12-3.GA_redhat_00003.1.el9eap.src.rpm SHA-256: 844a220f5115c6c25672484968709fca829122802bc2abc89984d88b94edda2a
eap7-wildfly-elytron-1.15.17-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: 558138b16dedd1e6ed588a2be504e4326ddd88fd135af24f77ce484a87753112
eap7-xalan-j2-2.7.1-36.redhat_00014.1.el9eap.src.rpm SHA-256: b328195be452ecdbc15c7fdac51156338397383652b363372cd6ef2798fa4fe0
x86_64
eap7-activemq-artemis-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 5d51eed4d44e4e40706484d6297e5db5c83b4bfe651c10c91d999bd8ba940589
eap7-activemq-artemis-cli-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 0f42ef373394874573eecdaf6d19deff904c8c7336253c6ddc25148ff938e990
eap7-activemq-artemis-commons-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: cef13de15ca0f9a9073d508b3c77ff217a8bce409d2cf2d77c716cbbdeeb670c
eap7-activemq-artemis-core-client-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 37ffe64004b3b1c3b5d8cde5b7ef7ffa979298ed4863116b43f4b30632bd3667
eap7-activemq-artemis-dto-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 3151dcdb492436a1644680e1190363b2473118652c16ddd2e4f14dd5a942bda6
eap7-activemq-artemis-hornetq-protocol-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 5173e334d6acc8601c15fe7cc5bde26e491595e0ea480b41049e188dd3f8591a
eap7-activemq-artemis-hqclient-protocol-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: f0493f8cee9c1525da8e550b27562f9b5e905e2d279601d036722189c3d6b9a3
eap7-activemq-artemis-jdbc-store-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 6e8b88d17339eece072aaca232bbb7e0d3cf31423929cd9052b9ff85a646b7f7
eap7-activemq-artemis-jms-client-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: a9c3dc105f6eef52f5c22cb5f9ab8d6c260fc23eacba048ccc3b087ed62f3c18
eap7-activemq-artemis-jms-server-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: e78ebc52ae8d95acdd04a2c1ed1300677abfad2816e78f45938a4e89f2da173b
eap7-activemq-artemis-journal-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: e32e9e83235c7bc33cf47db4978df2c0812144a964592ab549b60ce3182f69a9
eap7-activemq-artemis-ra-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: d80bf0e95e445c6e589b807497d47ee9064c08e33f04065fb51da69740e201e2
eap7-activemq-artemis-selector-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 91464d3b0b8f1154385ee4571b6831a9f158faba9496f4cd4bcb4cebf515cdeb
eap7-activemq-artemis-server-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: f808e9df8661a15af41d60276b8237cbc1452fe10b78c78939c100709fd67448
eap7-activemq-artemis-service-extensions-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: 24119fcc828aaf30be457b78a782c419cd30a011a4177bbf71559b1180e9addb
eap7-activemq-artemis-tools-2.16.0-12.redhat_00048.1.el9eap.noarch.rpm SHA-256: c3e6c26e59eb1113248840a299c13617ec38eed5b3bacc41242bf732bb8824e2
eap7-glassfish-jaf-1.2.2-2.redhat_00002.1.el9eap.noarch.rpm SHA-256: 6e4d6c11086a9858b4a2d473a729b66f20477c9f5865b8cc6ae7d0b3a14cc563
eap7-glassfish-javamail-1.6.7-2.redhat_00003.1.el9eap.noarch.rpm SHA-256: 57c89e4435063873793daa0b9758a6c432b0db59443c41edf0a5b9e75de6511f
eap7-hal-console-3.3.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: a0cf41dfbf1cfe9bd1e813797879323425284d05e4135e6d0f97377c88503c29
eap7-hibernate-5.3.30-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: ea48340ffb680d91169a3c583a354a398f9184c9344d842ce16d5cc71a5dea74
eap7-hibernate-core-5.3.30-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 85f569ee51b8c51d4208f4d5fb6e8b092e87ee99663ce1d963f0d2c8f9bdaeea
eap7-hibernate-envers-5.3.30-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 87b626a09b054d7bc9d8092687e6d2fbb631605031bb3f0f4b862d24f83af57e
eap7-insights-java-client-1.0.9-1.redhat_00001.1.el9eap.noarch.rpm SHA-256: 886d7e393ebe5eee9eaca581acb6add60c1566a86671aacb405c37eedb56f19b
eap7-jboss-cert-helper-1.0.9-1.redhat_00001.1.el9eap.x86_64.rpm SHA-256: 1ee3a660e45a97438b2d155d418d30a34f4a8d8a7fb793e4124918f33f1c9a1c
eap7-jboss-ejb-client-4.0.53-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: d4062cac14d917baf12886e0865ed92a84a80d574d65d8a2d6479986885c03c3
eap7-jboss-server-migration-1.10.0-30.Final_redhat_00029.1.el9eap.noarch.rpm SHA-256: 370699d6be614a75ccec453059a492addf8b7e1099d84c7b326e65b3f1da9839
eap7-jboss-server-migration-cli-1.10.0-30.Final_redhat_00029.1.el9eap.noarch.rpm SHA-256: 0875a20d6181cda0b7f83792465976f2a751573250f87dadd7021221f27149b4
eap7-jboss-server-migration-core-1.10.0-30.Final_redhat_00029.1.el9eap.noarch.rpm SHA-256: d07c131ea4675dd2a505441ed52c912ba50b93a1a0fe042f457edb66025ca931
eap7-jettison-1.5.4-1.redhat_00002.1.el9eap.noarch.rpm SHA-256: 9a636b2de56bac29d9b1fed871354471c6c39e513ca4350c16deb671d31f817b
eap7-picketlink-api-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: 10f74f341488b5af2eacb56fef8b6267a83b76fb97fae7611cdae08f67aab6e7
eap7-picketlink-bindings-2.5.5-27.SP12_redhat_00016.1.el9eap.noarch.rpm SHA-256: ff0834ee40cef9dc5d4ab094d1a161d0a41a07c5dc0ed63ef23227d1b3a9ed64
eap7-picketlink-common-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: 421e9d843b2375eea00eb3832ac453a87e0414faf6bf9b4fd2c095c28e571ebd
eap7-picketlink-config-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: ae213967b6425bf235fdecae86aae5f302f5d548be0e476840d98653efa48a29
eap7-picketlink-federation-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: 3393ee97e1d5770ddbba785e8f55527cb77ae21965efd70a9cc3dc1f9a572996
eap7-picketlink-idm-api-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: 908ca2b72dc8c3c8f66e313a549e170c287c4655fbe11691978107caa4bffd64
eap7-picketlink-idm-impl-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: cbd8c37807ab2292ac5928cd1ad156a18b39371d64fb1518a4fb8a331f18a31b
eap7-picketlink-idm-simple-schema-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: 5af113a28cf4e4d34a140379c0900d9fcc4fe10f9bd7ef19746871d34890aefa
eap7-picketlink-impl-2.5.5-23.SP12_redhat_00013.1.el9eap.noarch.rpm SHA-256: f65931bc2ee9dacdfab3f178ebe8c7f515b61f78958237a1f3d4d55f0edf43b3
eap7-picketlink-wildfly8-2.5.5-27.SP12_redhat_00016.1.el9eap.noarch.rpm SHA-256: 00cb7bad4621f9ae4cf0409897a325942358717cff62c55d782efb22ec8d4049
eap7-protostream-4.3.5-2.Final_redhat_00003.1.el9eap.noarch.rpm SHA-256: 99fadc062a2c6424d3707fc5108a2e4395c19404436c4cc24c511f1d32c48564
eap7-undertow-2.2.25-3.SP3_redhat_00001.1.el9eap.noarch.rpm SHA-256: 3e8b58d40f3108851ea572be9e8c8c3019d1ab8a99a0213fd2f26173f82a3763
eap7-wildfly-7.4.12-3.GA_redhat_00003.1.el9eap.noarch.rpm SHA-256: 24522393c217edede083978fe17b037e832c81f250d3fbb22ad1bcbf7bb0d5df
eap7-wildfly-elytron-1.15.17-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: a17baf4abb7850a9a26f69c1e606c73a515550edb5b52cc53e4024c2dcff585c
eap7-wildfly-elytron-tool-1.15.17-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 8d3d72078699386dfce51b2043bb2b7d8af464ab8ff833a328c1c846d574036c
eap7-wildfly-java-jdk11-7.4.12-3.GA_redhat_00003.1.el9eap.noarch.rpm SHA-256: 5c205a3fd72a3406c2d5b03100d163f5c9cf5aca05913a0a3ac89df0af60a9db
eap7-wildfly-java-jdk17-7.4.12-3.GA_redhat_00003.1.el9eap.noarch.rpm SHA-256: ed560a1b3ab0b03a3d5d5449b9f744f5b7135ead6e235095c384d1b5eaa08a28
eap7-wildfly-java-jdk8-7.4.12-3.GA_redhat_00003.1.el9eap.noarch.rpm SHA-256: 36a2685532381f51b515bc51be51e6ce419acd83cb16c92ec75bd3bffa5e7537
eap7-wildfly-javadocs-7.4.12-3.GA_redhat_00003.1.el9eap.noarch.rpm SHA-256: 627ad30ff0bbe97ceea103aa1a08532a7881210cafd70cccc2476c5b4b4d1737
eap7-wildfly-modules-7.4.12-3.GA_redhat_00003.1.el9eap.noarch.rpm SHA-256: b4958217f23a3add316e4b12d71be6d52f28688eb3f725037873fd3301b0e6a2
eap7-xalan-j2-2.7.1-36.redhat_00014.1.el9eap.noarch.rpm SHA-256: 33b74288d0ca017b781919d71332301791f3160701c1723786430d3b5da51e28

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.