RHSA-2024:1677 - Security Advisory

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.16 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.15, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.16 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

• undertow: Cookie Smuggling/Spoofing [eap-7.4.z] (CVE-2023-4639)
• apache-sshd: ssh: Prefix truncation attack on Binary Packet Protocol (BPP) [eap-7.4.z] (CVE-2023-48795)
• undertow: unrestricted request storage leads to memory exhaustion [eap-7.4.z] (CVE-2023-1973)
• undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol [eap-7.4.z] (CVE-2024-1635)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, make sure all previously released errata relevant to your system have been applied.
Also, back up your existing installation, including all applications, configuration files, databases and database settings.
For details on how to apply this update, refer to: https://access.redhat.com/articles/11258

Affected Products

• JBoss Enterprise Application Platform Text-Only Advisories x86_64

Fixes

• BZ - 2166022 - CVE-2023-4639 undertow: Cookie Smuggling/Spoofing
• BZ - 2185662 - CVE-2023-1973 undertow: unrestricted request storage leads to memory exhaustion
• BZ - 2254210 - CVE-2023-48795 ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
• BZ - 2264928 - CVE-2024-1635 undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol
• JBEAP-19969 - (7.4.z) AS-TS IBM test cases fails due to update mockserver-netty
• JBEAP-26168 - (7.4.z) Upgrade Undertow from 2.2.28.SP1 to 2.2.30.SP1
• JBEAP-26280 - (7.4.z) Upgrade hal console from 3.3.20.Final-redhat-00001 to 3.3.21.Final-redhat-00001
• JBEAP-26291 - (7.4.z) Upgrade Elytron from 1.15.21.Final-redhat-00001 to 1.15.22.Final-redhat-00001
• JBEAP-26318 - [GSS](7.4.z) Upgrade Hibernate from 5.3.33.Final-redhat-00001 to 5.3.36.Final-redhat-00001
• JBEAP-26343 - (7.4.z) Upgrade Artemis from 2.16.0.redhat-00051 to 2.16.0.redhat-00052
• JBEAP-26355 - [GSS](7.4.z) UNDERTOW-2337 - Multipart form-data larger than 16KiB is not available through Servlet getParameter API after EAP 7.4.12 (CVE-2023-3223 / UNDERTOW-2271 fix)
• JBEAP-26414 - (7.4.z) Upgrade Eclipse JGit to 5.13.3.202401111512-r
• JBEAP-26467 - (7.4.z) CVE-2023-48795 Upgrade SSHD from 2.9.3.redhat-00001 to 2.12.1.redhat-00001
• JBEAP-26533 - (7.4.z) Upgrade jberet from 1.3.9.SP2-redhat-00001 to 1.3.9.SP3-redhat-00001
• JBEAP-26552 - (7.4.z) Upgrade jgroups-kubernetes from 1.0.16.Final to 1.0.17.Final
• JBEAP-26587 - (7.4.z) Upgrade Elytron Web from 1.9.3.Final-redhat-00001 to 1.9.4.Final-redhat-00001
• JBEAP-26616 - (7.4.z) Upgrade xnio from 3.8.11.SP1-redhat-00001 to 3.8.12.SP2-redhat-00001
• JBEAP-26617 - (7.4.z) Upgrade remoting from 5.0.27.Final-redhat-00001 to 5.0.27.SP2-redhat-00001
• JBEAP-26636 - (7.4.z) Upgrade Insights from 1.1.1.redhat-00001 to 1.1.2.redhat-00001
• JBEAP-26660 - (7.4.z) Upgrade Wildfly Core from 15.0.33.Final-redhat-00001 to 15.0.35.Final-redhat-00001

CVEs

• CVE-2023-1973
• CVE-2023-4639
• CVE-2023-48795
• CVE-2024-1459
• CVE-2024-1635

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.4
• https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/
• https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/