[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[RHSA-2017:3400-01] Important: Red Hat JBoss Enterprise Application Platform 5.2 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 5.2 security update
Advisory ID:       RHSA-2017:3400-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:3400
Issue date:        2017-12-07
CVE Names:         CVE-2017-5645 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

This asynchronous patch is a security update for log4j package in Red Hat
JBoss Enterprise Application Platform 5.2.0.

Security Fix(es):

* It was found that when using remote logging with log4j socket server the
log4j server would deserialize any log event received via TCP or UDP. An
attacker could use this flaw to send a specially crafted log event that,
during deserialization, would execute arbitrary code in the context of the
logger application. (CVE-2017-5645)

3. Solution:

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2017-5645
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.2.0
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/

6. Contact:

The Red Hat security contact is <secalert redhat com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFaKXSlXlSAg2UNWIIRArefAKCNrcHUuB0Jmu28+K8TfkCsg/WyQwCfXkmC
tx/xABNMq0u6tyetMVwS2Kw=
=FsJF
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]