Red Hat Product Errata RHSA-2024:5856 - Security Advisory
Issued:
2024-08-26
Updated:
2024-08-26

RHSA-2024:5856 - Security Advisory

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.1.7 on RHEL 7 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

  • undertow: EAP: field-name is not parsed in accordance to RFC7230 [eap-7.1.z] (CVE-2020-1710)
  • commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default [eap-7.1.z] (CVE-2019-10086)
  • log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [eap-7.1.z] (CVE-2022-23302)
  • jackson-databind: default typing mishandling leading to remote code execution [eap-7.1.z] (CVE-2019-14379)
  • undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9514)
  • undertow: AJP File Read/Inclusion Vulnerability [eap-7.1.z] (CVE-2020-1745)
  • undertow: HTTP/2: large amount of data requests leads to denial of service [eap-7.1.z] (CVE-2019-9511)
  • undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass [eap-7.1.z] (CVE-2020-1757)
  • undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS [eap-7.1.z] (CVE-2019-14888)
  • log4j: Unsafe deserialization flaw in Chainsaw log viewer [eap-7.1.z] (CVE-2022-23307)
  • netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header [eap-7.1.z] (CVE-2019-20445)
  • log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [eap-7.1.z] (CVE-2021-4104)
  • undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth [eap-7.1.z] (CVE-2019-9515)
  • infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods [eap-7.1.z] (CVE-2019-10174)
  • log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [eap-7.1.z] (CVE-2022-23305)
  • jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution [eap-7.1.z] (CVE-2019-12384)
  • wildfly-security-manager: security manager authorization bypass (CVE-2019-14843)
  • HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
  • netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)
  • jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)
  • netty: HTTP request smuggling (CVE-2019-20444)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Application Platform 7.1 EUS 7.1 x86_64

Fixes

  • BZ - 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
  • BZ - 1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
  • BZ - 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
  • BZ - 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
  • BZ - 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth
  • BZ - 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution
  • BZ - 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
  • BZ - 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
  • BZ - 1752980 - CVE-2019-14843 wildfly-security-manager: security manager authorization bypass
  • BZ - 1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
  • BZ - 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
  • BZ - 1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
  • BZ - 1775293 - CVE-2019-17531 jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
  • BZ - 1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230
  • BZ - 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
  • BZ - 1798524 - CVE-2019-20444 netty: HTTP request smuggling
  • BZ - 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
  • BZ - 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
  • BZ - 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
  • BZ - 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
  • BZ - 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
  • JBEAP-24826 - Tracker bug for the EAP 7.1.7 release for RHEL-7

JBoss Enterprise Application Platform 7.1 EUS 7.1

SRPM
eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.ep7.el7.src.rpm SHA-256: 1bd2c57b5a3b39daa32f6bee2dcfd07d680628e0a6eaf996b53be300bedd8dd5
eap7-infinispan-8.2.11-1.SP2_redhat_00001.1.ep7.el7.src.rpm SHA-256: 232e24151e24c1d22626a8dee5291f82a7c1a0b221061b516027cb5f3fbc96e3
eap7-jackson-databind-2.8.11.5-1.redhat_00001.1.ep7.el7.src.rpm SHA-256: da65f2b32cb98894b6e2bf3d224a646743b6e2859478e34451066af4d647d573
eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.ep7.el7.src.rpm SHA-256: cc2658c36315c7469a46279f6f563f4df8c723900579c8762cd5e7ce56e830f6
eap7-netty-4.1.45-1.Final_redhat_00001.1.ep7.el7.src.rpm SHA-256: 84e77c10d91383aee50a3c6154f3a3d26d97f67af9cf44be58b24b0a3cf1e0a9
eap7-undertow-1.4.18-12.SP12_redhat_00001.1.ep7.el7.src.rpm SHA-256: b6b810fb3406a7ab98858774014621faa1fe771d4f22d420d1691860609724e0
eap7-wildfly-7.1.7-2.GA_redhat_00002.1.ep7.el7.src.rpm SHA-256: 1e228fc191131c27319e767f25047260821bb5580dd03efd366410122039a056
eap7-wildfly-elytron-1.1.13-1.Final_redhat_00001.1.ep7.el7.src.rpm SHA-256: db091dac62c320c5afd5ebed22cdb8f44999dfb7dc4ab906458873c87f5ef9bc
x86_64
eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.ep7.el7.noarch.rpm SHA-256: 9cdd5adc1a26c1730dbda2b96a9a66e514fc2cca711a1f247e7b00edfe66a129
eap7-infinispan-8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: b2ec9470ff006e25eb603ef0a05e91e2aed05c270ac07381f855f102c5bdebed
eap7-infinispan-cachestore-jdbc-8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 70c6d39b0a29e6ba0ac227feceaa45905a8bc646048214d6504eec985abe08b9
eap7-infinispan-cachestore-remote-8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: da7268c001c34ca8121a98fc3f113123f04faaa01bc28ab3e03b0b5d800c7602
eap7-infinispan-client-hotrod-8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 5694b48bfe38797a48706898d5e8de9e4599cc832c2f9b3143ea043fe1905807
eap7-infinispan-commons-8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 3867f14578ab6157b3d9e156a796846ee5f338384b9b9af580fdf92acf98e73e
eap7-infinispan-core-8.2.11-1.SP2_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: fea344f1f1686672dbb3e847013a2836c06bfecf0d7b6ebadece45887df1cbc1
eap7-jackson-databind-2.8.11.5-1.redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 518ca22b6ad46ab26551dc04b7f5995e3817b1d1d75675e50600568646334d4b
eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.ep7.el7.noarch.rpm SHA-256: 71131ee22800aca6cf731a2dc686df35d6008c313cf43787beb480b103584eb7
eap7-netty-4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 204e2d4ab1ba05a4c1b28b46d21baf702a0ffc399c0fbefe52d82d0d1002eb7b
eap7-netty-all-4.1.45-1.Final_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: bbfbb55e4a22a1478833fd9a1b4095b7bebec151745c7121821748b72dd13151
eap7-undertow-1.4.18-12.SP12_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 751a22ade937d9b2020222b3e6b4d980606d3105a82bdb20389d0715e12713ad
eap7-wildfly-7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch.rpm SHA-256: 1ee2e389bd4b4becf1704331e5f984cad5b955a5260e967df37ce344911c8a9a
eap7-wildfly-elytron-1.1.13-1.Final_redhat_00001.1.ep7.el7.noarch.rpm SHA-256: 4720cbbbad40e74e11c66d540d5fe08b1a4d33dd43426d1cf07b73362d4258a8
eap7-wildfly-modules-7.1.7-2.GA_redhat_00002.1.ep7.el7.noarch.rpm SHA-256: 75cabfa0eb8817bea26d53027c6d2cec7f7aa3b6fdfc41769a84a1e403c389ba

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.