[RHSA-2018:2741-01] Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update

[Security announcements for all Red Hat products and services.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 6.4.21 security update
Advisory ID:       RHSA-2018:2741-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2741
Issue date:        2018-09-24
CVE Names:         CVE-2017-2582 CVE-2017-7536 CVE-2018-1336 
                   CVE-2018-10237 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 6.4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on the JBoss Application Server.

This release of Red Hat JBoss Enterprise Application Platform 6.4.21 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.20,
and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* hibernate-validator: Privilege escalation when running under the security
manager (CVE-2017-7536)

* guava: Unbounded memory allocation in AtomicDoubleArray and
CompoundOrdering classes allow remote attackers to cause a denial of
service (CVE-2018-10237)

* picketlink: The fix for CVE-2017-2582 breaks the feature of attribute
replacement with system property in picketlink.xml (CVE-2017-2582)

* jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS
(CVE-2018-1336)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the
CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1261190 - [GSS](6.4.z) Upgrade jboss-ejb-client from 1.0.40 to 1.0.41
1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties
1465573 - CVE-2017-7536 hibernate-validator: Privilege escalation when running under the security manager
1570200 - [GSS](6.4.z) Upgrade JBoss Modules from 1.3.10 to 1.3.11
1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
1578830 - (6.4.z) Upgrade hibernate-validator from 4.3.3 to 4.3.4
1580440 - [GSS](6.4.z) Upgrade xnio from 3.0.16 to 3.0.17
1594389 - [GSS](6.4.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml
1602226 - [GSS](6.4.z) Upgrade xerces from 2.9.1.redhat-6 to 2.9.1.redhat-8
1606334 - [GSS](6.4.z) Upgrade JBoss VFS from 3.2.12 to 3.2.13
1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
1610355 - [GSS](6.4.z) Upgrade HornetQ from 2.3.25.SP24 to 2.3.25.SP28
1610742 - [GSS](6.4.z) Upgrade JBoss Web from 7.5.28 to 7.5.29
1611770 - [GSS](6.4.z) Upgrade Ironjacamar from 1.0.41 to 1.0.42
1614448 - [GSS](6.4.z) Upgrade Jackson from 1.9.9.redhat-6 to 1.9.9.redhat-7
1615347 - [GSS](6.4.z) Upgrade PicketLink from 2.5.4.SP18-redhat-1 to 2.5.4.SP18-redhat-2
1615380 - [GSS](6.4.z) Upgrade Guava from 13.0.1.redhat-2 to 13.0.1.redhat-3

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server:

Source:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el7.src.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el7.src.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el7.src.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el7.src.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.src.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el7.src.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el7.src.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el7.src.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.src.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el7.src.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el7.src.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el7.src.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el7.src.rpm

noarch:
codehaus-jackson-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-core-asl-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-jaxrs-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-mapper-asl-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
codehaus-jackson-xc-1.9.9-14.redhat_7.1.ep6.el7.noarch.rpm
guava-libraries-13.0.1-5.redhat_3.1.ep6.el7.noarch.rpm
hibernate4-validator-4.3.4-1.Final_redhat_1.1.ep6.el7.noarch.rpm
hornetq-2.3.25-27.SP28_redhat_1.1.ep6.el7.noarch.rpm
ironjacamar-common-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-common-impl-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-common-spi-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-core-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-core-impl-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-deployers-common-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-jdbc-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-spec-api-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
ironjacamar-validator-eap6-1.0.42-2.Final_redhat_2.1.ep6.el7.noarch.rpm
jboss-as-appclient-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-cli-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-client-all-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-clustering-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-cmp-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-connector-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-controller-client-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-core-security-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-deployment-repository-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-deployment-scanner-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-domain-http-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-domain-management-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-ee-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-ee-deployment-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-ejb3-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-embedded-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-host-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jacorb-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jaxr-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jaxrs-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jdr-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jpa-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jsf-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-jsr77-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-logging-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-mail-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-management-client-content-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-messaging-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-modcluster-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-naming-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-network-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-osgi-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-osgi-configadmin-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-osgi-service-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-picketlink-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-platform-mbean-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-pojo-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-process-controller-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-protocol-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-remoting-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-sar-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-security-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-server-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-system-jmx-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-threads-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-transactions-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-version-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-web-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-webservices-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-weld-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-as-xts-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-ejb-client-1.0.41-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-modules-1.3.11-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-vfs2-3.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jboss-xnio-base-3.0.17-1.GA_redhat_1.1.ep6.el7.noarch.rpm
jbossas-appclient-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-bundles-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-core-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-domain-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-javadocs-7.5.21-2.Final_redhat_1.2.ep6.el7.noarch.rpm
jbossas-modules-eap-7.5.21-1.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-product-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-standalone-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossas-welcome-content-eap-7.5.21-2.Final_redhat_1.1.ep6.el7.noarch.rpm
jbossweb-7.5.29-1.Final_redhat_1.1.ep6.el7.noarch.rpm
picketlink-bindings-2.5.4-23.SP18_redhat_2.1.ep6.el7.noarch.rpm
picketlink-federation-2.5.4-21.SP18_redhat_2.1.ep6.el7.noarch.rpm
xerces-j2-eap6-2.9.1-19.redhat_8.1.ep6.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-2582
https://access.redhat.com/security/cve/CVE-2017-7536
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-10237
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW6lg4dzjgjWX9erEAQhztQ//Sd0Rilqb+F4Gkc1kkq9Td7XKU0IgH54m
b69/klo+tl8t7Cwkw35QCYYGaAzreESRTAtl5zwTbWVBISMEoG8F+v6+5h1+qYXz
EZH4iClwwtAy5U3sR/D2tjy7EON/pEFcXYAJQf6lhVPYydqNW/FUEjPN5D3pr5ee
4cS4MmJb8tDfXUFszeymLhCO5kpwnocCKC2wvf+bZveADTBE4qyV+gDvAFs/mqRN
gZcon0tJ9zFOiFUzGwWvxPPNKZNbUx8DtraazMTGt9JwIuXi8qdsybOOCBa63V6W
j172iyPtKkrtWMfsY97tTFuOoxhcAHGzydtFbZmmLRviYyq22P124VHrPVpThpOn
90yVmyOJ2u6jEReXnRnuDLSEZWVpzaRi5rBXGHGz8WOZPuTQFQHpO7T7pKA9l58U
XFV11W+/o++M8tNbteyzFUMQMZQteFvPqH9XY2QqnGNywiASdi7CjEue/vnci/Py
VodGHtGLfUVypGAN3alQOj25jh7Num9BfGE/IyMC/5Pi5Mr9z4x9lNE7XWoIAu3J
Jrz7EmsfWdMzLmw+QpkCZJUH7JBenfR6xa+S5iMH9BFfvv75DPSmBKifpVmqb8Kp
jh0wg82lVwUp8K17T1HGh9rgNIkFMXHc8CkDIut+SVYSc4SK7OiaFFp8i/Ocq7G7
WA4CRnn8YZM=
=blOk
-----END PGP SIGNATURE-----