Red Hat Product Errata RHSA-2024:8077 - Security Advisory
Issued:
2024-10-14
Updated:
2024-10-14

RHSA-2024:8077 - Security Advisory

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.4.19 Security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.19 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.18, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.19 Release Notes for information about the most significant bug fixes and enhancements included in this release.

Security Fix(es):

  • braces: fails to limit the number of characters it can handle [eap-7.4.z] (CVE-2024-4068)
  • jose4j: denial of service via specially crafted JWE [eap-7.4.z] (CVE-2023-51775)
  • wildfly-domain-http: wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS) [eap-7.4.z] (CVE-2024-4029)
  • xalan: integer truncation issue in Xalan-J (JAXP, 8285407) [eap-7.4.z] (CVE-2022-34169)
  • org.jsoup/jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled [eap-7.4.z] (CVE-2022-36033)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Application Platform 7.4 for RHEL 9 x86_64

Fixes

  • BZ - 2108554 - CVE-2022-34169 OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)
  • BZ - 2127078 - CVE-2022-36033 jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
  • BZ - 2266921 - CVE-2023-51775 jose4j: denial of service via specially crafted JWE
  • BZ - 2278615 - CVE-2024-4029 wildfly: No timeout for EAP management interface may lead to Denial of Service (DoS)
  • BZ - 2280600 - CVE-2024-4068 braces: fails to limit the number of characters it can handle
  • JBEAP-27051 - Tracker bug for the EAP 7.4.19 release for RHEL-9
  • JBEAP-27357 - (7.4.z) Upgrade undertow from 2.2.33.SP1-redhat-00001 to 2.2.35.SP1
  • JBEAP-27548 - (7.4.z) Upgrade JBossws cxf from 5.4.9.Final-redhat-00001 to 5.4.12.Final-redhat-00001
  • JBEAP-27613 - (7.4.z) Upgrade Wildfly Core from 15.0.37.Final-redhat-00001 to 15.0.38.Final-redhat-00001
  • JBEAP-27658 - (7.4.z) Upgrade insights java client from 1.1.2.redhat-00001 to 1.1.3.redhat-00001
  • JBEAP-27700 - (7.4.z) Upgrade hibernate-validator from 6.0.23.Final-redhat-00001 to 6.0.23.SP1
  • JBEAP-27701 - (7.4.z) HV-2027 - Upgrade jsoup to 1.15.4 in hibernate-validator 6.0 branch
  • JBEAP-27713 - [GSS](7.4.z) Upgrade jboss-ejb-client from 4.0.54.Final-redhat-00001 to 4.0.55.Final
  • JBEAP-27714 - [GSS](7.4.z) Upgrade HAL Console from 3.3.23.Final-redhat-00001 to 3.3.24.Final
  • JBEAP-27715 - [GSS](7.4.z) Upgrade IronJacamar from 1.5.17.Final-redhat-00001 to 1.5.18.Final
  • JBEAP-27746 - (7.4.z) Upgrade jastow from 2.0.14.Final-redhat-00001 to 2.0.15.Final
  • JBEAP-27747 - (7.4.z) Upgrade Wildfly Core from 15.0.38.Final-redhat-00001 to 15.0.39.Final-redhat-00001

JBoss Enterprise Application Platform 7.4 for RHEL 9

SRPM
eap7-hal-console-3.3.24-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: d66d5e782687207b94ea59f317446512fa8252cd5cad48dacff7491909163f00
eap7-hibernate-validator-6.0.23-2.SP1_redhat_00001.1.el9eap.src.rpm SHA-256: bf408ac090e061a98449c38851040a46c720a9e8c91aef87aa623dd0386bb0b0
eap7-insights-java-client-1.1.3-1.redhat_00001.1.el9eap.src.rpm SHA-256: 4683221d59448a390ed3e4df9e9443f67594f64f6a156037043475037b815da5
eap7-ironjacamar-1.5.18-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: 2fc578e1263182151ccded66d4a32e30542e368ada193962b379af30c82af13d
eap7-jboss-cert-helper-1.1.3-1.redhat_00001.1.el9eap.src.rpm SHA-256: 721b7a01f6c55017ae07394c1a30c529fd5ba9ba9ac5f1a663ba7feadcacfc9d
eap7-jboss-ejb-client-4.0.55-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: 1ab19edcccdbbb2bf73ae6af90a49133bac027a414f3a6d8dd0770547e648856
eap7-jboss-server-migration-1.10.0-39.Final_redhat_00039.1.el9eap.src.rpm SHA-256: 18ee9e27418f298f084762cef4eb1bb7f78ecc4868265890b9e30562bc72b197
eap7-jbossws-cxf-5.4.12-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: 727873572d2f71f5e6e14da3f271257e12c5ed995682e55f5ee7e6fae31f0a59
eap7-jsoup-1.15.4-1.redhat_00003.1.el9eap.src.rpm SHA-256: cb4eaec59f349681d4788230509f1c7d0a98f518052202434a26e7aa0b775e05
eap7-undertow-jastow-2.0.15-1.Final_redhat_00001.1.el9eap.src.rpm SHA-256: fb6a074026e8253b6bb281328c5e624d5eed7d0d2c4abfe6fc333ee9495b5c15
eap7-wildfly-7.4.19-1.GA_redhat_00002.1.el9eap.src.rpm SHA-256: 3270932f8400a0d7e26ecd7fd26d6729c80f1f3c211346cd2156d7f9e70afd69
eap7-xalan-j2-2.7.1-37.redhat_00015.1.el9eap.src.rpm SHA-256: 9a8b8771d5bf7a71dad7d6097a491ec07bc46860abcce099b3a57fe2be036bc8
x86_64
eap7-hal-console-3.3.24-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: d3e1d2c8150df3b19f71838ea8b455cefabd85bd5a32f7dc2b206a91ef55d497
eap7-hibernate-validator-6.0.23-2.SP1_redhat_00001.1.el9eap.noarch.rpm SHA-256: 3ef3fd02775155088b26e81264abf175173796d0678e242e1c08b38c17136b0f
eap7-hibernate-validator-cdi-6.0.23-2.SP1_redhat_00001.1.el9eap.noarch.rpm SHA-256: 228b6352b4ea7a445992f2b8b79fec9fac712f68f377e363e09d40ff6f2014fb
eap7-insights-java-client-1.1.3-1.redhat_00001.1.el9eap.noarch.rpm SHA-256: 5d226c38c06df118f47b99f51a02e749c0912355e283bcc39f9168575ba31566
eap7-ironjacamar-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: df159132adbe4640e7b45eb8bb3577db6690334b1351c73a1fb85d05aa91d18f
eap7-ironjacamar-common-api-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 0a95ea5b364bb07186cb44cd52cf07e4d382cedc8192a12b3551236093fcb0cc
eap7-ironjacamar-common-impl-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: fbf0c91f605c26418037097fd0e7798e530420f6091041fc2f1917f60411dbed
eap7-ironjacamar-common-spi-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 58875cc1353ac2db10cd126711c3dc671ced966e1ace0f16e655bf114fb761cf
eap7-ironjacamar-core-api-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 886e846b5bad56b6042bd0def7fbb7be30d0003277c71ce913f1baaf2e1956da
eap7-ironjacamar-core-impl-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 7e3d6d9a96b3b72ef77b0423dff724602062ffaacdb47f60ef3d1eabfe29de8e
eap7-ironjacamar-deployers-common-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 45c3f17704ba003a4371f4d709678866a2b64193f60afed4bbec938c26b46383
eap7-ironjacamar-jdbc-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: bbb06acb9ff4d575338e26f956cadffad04742a55725e82580af373f8c5299be
eap7-ironjacamar-validator-1.5.18-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 106913d6d84b7acde560280f2b758870a47d24153e9d56ba6c9b4f5f4c37cced
eap7-jboss-cert-helper-1.1.3-1.redhat_00001.1.el9eap.x86_64.rpm SHA-256: 616f2c5f6e92ae1aa6590f4864e9f9d0d676f47ceb22787c4e04edf461a79c89
eap7-jboss-ejb-client-4.0.55-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: fe8438e55ff2e469f15d1b23e5f97006fd8c72d1d0f61b1e3afc42e0cb59db05
eap7-jboss-server-migration-1.10.0-39.Final_redhat_00039.1.el9eap.noarch.rpm SHA-256: 322a1a8de88b0e00d693e1b5c3b44013db482964530c0c314068990d74037fcf
eap7-jboss-server-migration-cli-1.10.0-39.Final_redhat_00039.1.el9eap.noarch.rpm SHA-256: b3fc7169421f706667658c8dd65f3b0e03b3e318d256ab5c6a3fdef63ce3af23
eap7-jboss-server-migration-core-1.10.0-39.Final_redhat_00039.1.el9eap.noarch.rpm SHA-256: 865055a8a5ca6b86c2fcc65633900e027d48066fefee1d5a305b248050f04ef5
eap7-jbossws-cxf-5.4.12-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 1856a2d3b673b9401325e555c10eae4702615ccb3a704ca5e444f0b4532c0460
eap7-jsoup-1.15.4-1.redhat_00003.1.el9eap.noarch.rpm SHA-256: b99df1bbc1334e6f79f60c16b97e11eb2905f841e37a09184c55b7b743b564e8
eap7-undertow-jastow-2.0.15-1.Final_redhat_00001.1.el9eap.noarch.rpm SHA-256: 729c4a20885581ed3c5702aeddc886269292590b7425a02a9dcb77a3c0c7a08b
eap7-wildfly-7.4.19-1.GA_redhat_00002.1.el9eap.noarch.rpm SHA-256: 98dd30b5c9651b87ea6b1ccfb15e619bda11a9c5a96d3235f3da47e2a262ab10
eap7-wildfly-java-jdk11-7.4.19-1.GA_redhat_00002.1.el9eap.noarch.rpm SHA-256: 37173c2c0f06042dfba3945492b8eba63178d52ebf1daefbe761a75011be9965
eap7-wildfly-java-jdk17-7.4.19-1.GA_redhat_00002.1.el9eap.noarch.rpm SHA-256: 340626238cea5f673339eac2f0cf29864afb7f7cc4df95c33c6f10f5dcfbb90e
eap7-wildfly-java-jdk8-7.4.19-1.GA_redhat_00002.1.el9eap.noarch.rpm SHA-256: bc34dc6e951bb2933ceacc31b320eabc9866460b9ef140af6db43bcd4d58b98c
eap7-wildfly-javadocs-7.4.19-1.GA_redhat_00002.1.el9eap.noarch.rpm SHA-256: c0e5ab83ff027e89529275a05a8714764f14556f72518696eee1a00c040c7e4c
eap7-wildfly-modules-7.4.19-1.GA_redhat_00002.1.el9eap.noarch.rpm SHA-256: 55bbc0f1d2ce980836a4d6b74047f65c86eb3f0d39f79be98e0b423fdc98b5d8
eap7-xalan-j2-2.7.1-37.redhat_00015.1.el9eap.noarch.rpm SHA-256: 3d862619808f99e6003048667393757c1f4891e623fd1b986d988a574ad2ec59

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.