The following products are not affected by this flaw, as they do not use the vulnerable functionality of either aspect of the issue.
Red Hat JBoss Enterprise Application Platform 6
Red Hat JBoss BPM Suite
Red Hat JBoss BRMS
Red Hat Enterprise Virtualization Manager
Red Hat Single Sign-On 7
Red Hat JBoss Portal Platform 6
Red Hat JBoss Enterprise Application Platform 7 is not affected by this flaw. However, it does ship the vulnerable Lucene class in a dependency to another component. Customers who reuse the lucene-queryparser jar in their applications may be vulnerable to the External Entity Expansion aspect of this flaw. This will be patched in a forthcoming release.
Red Hat JBoss Fuse is not affected by this flaw, as it does not use the vulnerable functionality of either aspect of this flaw. Fuse customers who may be running external Solr servers, while not affected from the Fuse side, are advised to secure their Solr servers as recommended in the mitigation provided.
The following products ship only the Lucene components relevant to this flaw, and are not vulnerable to the second portion of the vulnerability, the code execution exploit. As such, the impact of this flaw has been determined to be Moderate for these respective products:
Red Hat JBoss Data Grid 7
Red Hat Enterprise Linux 6
Red Hat Software Collections 2.4
This issue did not affect the versions of lucene as shipped with Red Hat Enterprise Linux 5.
CVSS v2 metrics
CVSS v3 metrics
|CVSS3 Base Score||9.8|
|CVSS3 Base Metrics||CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H|
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
|Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-lucene-solr)||RHSA-2017:3123||2017-11-06|
|Red Hat JBoss Data Grid 7.1||RHSA-2017:3244||2017-11-16|
|Red Hat JBoss EAP 7||RHSA-2017:3124||2017-11-06|
|Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-lucene-solr)||RHSA-2017:3123||2017-11-06|
Affected Packages State
|Red Hat Software Collections for Red Hat Enterprise Linux||rh-java-common-lucene||Affected|
|Red Hat Software Collections for Red Hat Enterprise Linux||rh-java-common-lucene5||Affected|
|Red Hat Single Sign-On 7||lucene||Not affected|
|Red Hat JBoss Portal Platform 6||solr||Not affected|
|Red Hat JBoss Fuse 6||Camel||Not affected|
|Red Hat JBoss EAP 6||lucene||Not affected|
|Red Hat JBoss EAP 6||solr||Not affected|
|Red Hat JBoss BRMS 6||lucene||Not affected|
|Red Hat JBoss BPMS 6||lucene||Not affected|
|Red Hat Enterprise Linux 6||lucene||Will not fix|
|Red Hat Enterprise Linux 5||lucene||Not affected|
|RHEV-M 4.0||lucene||Not affected|