Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2014-9970 (GCVE-0-2014-9970)
Vulnerability from cvelistv5
Published
2017-05-21 18:00
Modified
2024-08-06 14:02
Severity ?
EPSS score ?
Summary
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T14:02:37.618Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "1040360", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040360", }, { name: "RHSA-2017:2809", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "RHSA-2017:2547", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { name: "RHSA-2017:2810", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "1039744", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1039744", }, { name: "RHSA-2018:0294", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { name: "RHSA-2017:2808", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "RHSA-2017:2546", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://sourceforge.net/p/jasypt/code/668/", }, { name: "RHSA-2017:3141", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { name: "RHSA-2017:2811", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2017-05-21T00:00:00", descriptions: [ { lang: "en", value: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-02-13T10:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "1040360", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040360", }, { name: "RHSA-2017:2809", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "RHSA-2017:2547", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { name: "RHSA-2017:2810", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "1039744", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1039744", }, { name: "RHSA-2018:0294", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { name: "RHSA-2017:2808", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "RHSA-2017:2546", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://sourceforge.net/p/jasypt/code/668/", }, { name: "RHSA-2017:3141", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { name: "RHSA-2017:2811", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-9970", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "1040360", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040360", }, { name: "RHSA-2017:2809", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "RHSA-2017:2547", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { name: "RHSA-2017:2810", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "1039744", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039744", }, { name: "RHSA-2018:0294", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { name: "RHSA-2017:2808", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "RHSA-2017:2546", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { name: "https://sourceforge.net/p/jasypt/code/668/", refsource: "CONFIRM", url: "https://sourceforge.net/p/jasypt/code/668/", }, { name: "RHSA-2017:3141", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { name: "RHSA-2017:2811", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2014-9970", datePublished: "2017-05-21T18:00:00", dateReserved: "2017-05-21T00:00:00", dateUpdated: "2024-08-06T14:02:37.618Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jasypt_project:jasypt:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.9.1\", \"matchCriteriaId\": \"CE8F4A27-C1BE-4759-AA43-FD9991FE98D5\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"jasypt before 1.9.2 allows a timing attack against the password hash comparison.\"}, {\"lang\": \"es\", \"value\": \"Jasypt en versiones anteriores a la 1.9.2 permite un ataque de sincronizaci\\u00f3n contra la comparaci\\u00f3n del hash de la contrase\\u00f1a.\"}]", id: "CVE-2014-9970", lastModified: "2024-11-21T02:22:05.647", metrics: "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2017-05-21T18:29:00.173", references: "[{\"url\": \"http://www.securitytracker.com/id/1039744\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securitytracker.com/id/1040360\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2546\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2547\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2808\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2809\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2810\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2811\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3141\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0294\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://sourceforge.net/p/jasypt/code/668/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securitytracker.com/id/1039744\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1040360\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2546\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2547\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2808\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2809\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2810\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2811\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:3141\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:0294\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://sourceforge.net/p/jasypt/code/668/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}]", sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2014-9970\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-05-21T18:29:00.173\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"jasypt before 1.9.2 allows a timing attack against the password hash comparison.\"},{\"lang\":\"es\",\"value\":\"Jasypt en versiones anteriores a la 1.9.2 permite un ataque de sincronización contra la comparación del hash de la contraseña.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jasypt_project:jasypt:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.9.1\",\"matchCriteriaId\":\"CE8F4A27-C1BE-4759-AA43-FD9991FE98D5\"}]}]}],\"references\":[{\"url\":\"http://www.securitytracker.com/id/1039744\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id/1040360\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2546\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2547\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2808\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2809\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2810\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2811\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3141\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0294\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://sourceforge.net/p/jasypt/code/668/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1039744\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1040360\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2546\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2547\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2808\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2809\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2810\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2811\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:3141\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:0294\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://sourceforge.net/p/jasypt/code/668/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]}]}}", }, }
ghsa-r5c2-rxh2-f5h2
Vulnerability from github
Published
2022-05-14 03:44
Modified
2022-07-06 20:41
Severity ?
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Jasypt
Details
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
{ affected: [ { package: { ecosystem: "Maven", name: "org.jasypt:jasypt", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.9.2", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2014-9970", ], database_specific: { cwe_ids: [ "CWE-200", ], github_reviewed: true, github_reviewed_at: "2022-07-06T20:41:49Z", nvd_published_at: "2017-05-21T18:29:00Z", severity: "HIGH", }, details: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", id: "GHSA-r5c2-rxh2-f5h2", modified: "2022-07-06T20:41:49Z", published: "2022-05-14T03:44:52Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { type: "WEB", url: "https://sourceforge.net/p/jasypt/code/668", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", type: "CVSS_V3", }, ], summary: "Exposure of Sensitive Information to an Unauthorized Actor in Apache Jasypt", }
rhsa-2017_3141
Vulnerability from csaf_redhat
Published
2017-11-07 17:23
Modified
2024-11-14 23:39
Summary
Red Hat Security Advisory: rhvm-appliance security, bug fix, and enhancement update
Notes
Topic
An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.
The following packages have been upgraded to a later upstream version: rhvm-appliance (20171019.0). (BZ#1496586)
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.\n\nThe following packages have been upgraded to a later upstream version: rhvm-appliance (20171019.0). (BZ#1496586)\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:3141", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "1496586", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1496586", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3141.json", }, ], title: "Red Hat Security Advisory: rhvm-appliance security, bug fix, and enhancement update", tracking: { current_release_date: "2024-11-14T23:39:18+00:00", generator: { date: "2024-11-14T23:39:18+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:3141", initial_release_date: "2017-11-07T17:23:02+00:00", revision_history: [ { date: "2017-11-07T17:23:02+00:00", number: "1", summary: "Initial version", }, { date: "2017-11-07T17:23:02+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-14T23:39:18+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product: { name: "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::hypervisor", }, }, }, { category: "product_name", name: "Red Hat Virtualization 4 Hypervisor for RHEL 7", product: { name: "Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::hypervisor", }, }, }, ], category: "product_family", name: "Red Hat Virtualization", }, { branches: [ { category: "product_version", name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product_id: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/rhvm-appliance@4.1.20171102.0-1.el7?arch=src&epoch=1", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product_id: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rhvm-appliance@4.1.20171102.0-1.el7?arch=noarch&epoch=1", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", relates_to_product_reference: "7Server-RHEV-4-Agents-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", relates_to_product_reference: "7Server-RHEV-4-Agents-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", relates_to_product_reference: "7Server-RHEV-4-Hypervisor-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", relates_to_product_reference: "7Server-RHEV-4-Hypervisor-7", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
rhsa-2017_2810
Vulnerability from csaf_redhat
Published
2017-09-26 17:58
Modified
2024-12-15 18:48
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2810", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/", url: "https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2810.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2024-12-15T18:48:09+00:00", generator: { date: "2024-12-15T18:48:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2017:2810", initial_release_date: "2017-09-26T17:58:02+00:00", revision_history: [ { date: "2017-09-26T17:58:02+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T17:58:02+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:48:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss EAP 7", product: { name: "Red Hat JBoss EAP 7", product_id: "Red Hat JBoss EAP 7", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss EAP 7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017_2905
Vulnerability from csaf_redhat
Published
2017-10-17 19:53
Modified
2024-11-22 11:32
Summary
Red Hat Security Advisory: rh-sso7-keycloak security update
Notes
Topic
An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2905", url: "https://access.redhat.com/errata/RHSA-2017:2905", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "RHSSO-1122", url: "https://issues.redhat.com/browse/RHSSO-1122", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2905.json", }, ], title: "Red Hat Security Advisory: rh-sso7-keycloak security update", tracking: { current_release_date: "2024-11-22T11:32:47+00:00", generator: { date: "2024-11-22T11:32:47+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2905", initial_release_date: "2017-10-17T19:53:19+00:00", revision_history: [ { date: "2017-10-17T19:53:19+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:53:19+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:32:47+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1 for RHEL 7 Server", product: { name: "Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1", product_identification_helper: { cpe: "cpe:/a:redhat:red_hat_single_sign_on:7::el7", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_id: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak-server@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", relates_to_product_reference: "7Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", }, product_reference: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-RHSSO-7.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
rhsa-2017_2906
Vulnerability from csaf_redhat
Published
2017-10-17 19:42
Modified
2024-11-22 11:32
Summary
Red Hat Security Advisory: Red Hat Single Sign-On security update
Notes
Topic
Red Hat Single Sign-On 7.1.3 is now available for download from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.1 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. The Node.js adapter provides a simple module for authentication and authorization in Node.js applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Single Sign-On 7.1.3 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On 7.1 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. The Node.js adapter provides a simple module for authentication and authorization in Node.js applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2906", url: "https://access.redhat.com/errata/RHSA-2017:2906", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.1", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.1", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2906.json", }, ], title: "Red Hat Security Advisory: Red Hat Single Sign-On security update", tracking: { current_release_date: "2024-11-22T11:32:52+00:00", generator: { date: "2024-11-22T11:32:52+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2906", initial_release_date: "2017-10-17T19:42:35+00:00", revision_history: [ { date: "2017-10-17T19:42:35+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:42:35+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:32:52+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1", product: { name: "Red Hat Single Sign-On 7.1", product_id: "Red Hat Single Sign-On 7.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_single_sign_on:7.1", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
RHSA-2017:2808
Vulnerability from csaf_redhat
Published
2017-09-26 18:39
Modified
2025-04-09 16:40
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2808", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11485", url: "https://issues.redhat.com/browse/JBEAP-11485", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2808.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2025-04-09T16:40:04+00:00", generator: { date: "2025-04-09T16:40:04+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2808", initial_release_date: "2017-09-26T18:39:54+00:00", revision_history: [ { date: "2017-09-26T18:39:54+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T18:39:54+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:40:04+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el7?arch=x86_64", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el7?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-appclient@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ear@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-common@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ejb@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-web@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator-cdi@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-api@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-simple-schema@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-common@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-api@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-impl@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-impl@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-config@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-wildfly8@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-mail@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-prov@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-pkix@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-modules@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
RHSA-2018:0294
Vulnerability from csaf_redhat
Published
2018-02-12 17:19
Modified
2025-04-09 16:40
Summary
Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1.2 security update
Notes
Topic
Red Hat JBoss Data Grid 7.1.2 is now available for download from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.
This release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Data Grid 7.1.2 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.\n\nThis release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2018:0294", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.2", }, { category: "external", summary: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/", url: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "1503610", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503610", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_0294.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1.2 security update", tracking: { current_release_date: "2025-04-09T16:40:52+00:00", generator: { date: "2025-04-09T16:40:52+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2018:0294", initial_release_date: "2018-02-12T17:19:54+00:00", revision_history: [ { date: "2018-02-12T17:19:54+00:00", number: "1", summary: "Initial version", }, { date: "2018-02-12T17:19:54+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:40:52+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Data Grid 7.1", product: { name: "Red Hat JBoss Data Grid 7.1", product_id: "Red Hat JBoss Data Grid 7.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:7.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, { acknowledgments: [ { names: [ "Man Yue Mo", ], organization: "Semmle/lgtm.com", }, ], cve: "CVE-2017-15089", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-10-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503610", }, ], notes: [ { category: "description", text: "It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "infinispan: Unsafe deserialization of malicious object injected into data cache", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-15089", }, { category: "external", summary: "RHBZ#1503610", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503610", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-15089", url: "https://www.cve.org/CVERecord?id=CVE-2017-15089", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-15089", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-15089", }, ], release_date: "2018-02-12T15:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "infinispan: Unsafe deserialization of malicious object injected into data cache", }, ], }
RHSA-2017:2811
Vulnerability from csaf_redhat
Published
2017-09-26 19:14
Modified
2025-04-09 17:22
Summary
Red Hat Security Advisory: eap7-jboss-ec2-eap security update
Notes
Topic
An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).
With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8.
Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8.\n\nRefer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2811", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11487", url: "https://issues.redhat.com/browse/JBEAP-11487", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2811.json", }, ], title: "Red Hat Security Advisory: eap7-jboss-ec2-eap security update", tracking: { current_release_date: "2025-04-09T17:22:37+00:00", generator: { date: "2025-04-09T17:22:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2811", initial_release_date: "2017-09-26T19:14:16+00:00", revision_history: [ { date: "2017-09-26T19:14:16+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T19:14:16+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T17:22:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", }, }, }, { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_id: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap-samples@7.0.8-1.GA_redhat_1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_id: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap-samples@7.0.8-1.GA_redhat_1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", }, product_reference: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", }, product_reference: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2018_0294
Vulnerability from csaf_redhat
Published
2018-02-12 17:19
Modified
2024-11-22 10:33
Summary
Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1.2 security update
Notes
Topic
Red Hat JBoss Data Grid 7.1.2 is now available for download from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.
This release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Data Grid 7.1.2 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.\n\nThis release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2018:0294", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.2", }, { category: "external", summary: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/", url: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "1503610", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503610", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_0294.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1.2 security update", tracking: { current_release_date: "2024-11-22T10:33:42+00:00", generator: { date: "2024-11-22T10:33:42+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2018:0294", initial_release_date: "2018-02-12T17:19:54+00:00", revision_history: [ { date: "2018-02-12T17:19:54+00:00", number: "1", summary: "Initial version", }, { date: "2018-02-12T17:19:54+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T10:33:42+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Data Grid 7.1", product: { name: "Red Hat JBoss Data Grid 7.1", product_id: "Red Hat JBoss Data Grid 7.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:7.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, { acknowledgments: [ { names: [ "Man Yue Mo", ], organization: "Semmle/lgtm.com", }, ], cve: "CVE-2017-15089", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-10-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503610", }, ], notes: [ { category: "description", text: "It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "infinispan: Unsafe deserialization of malicious object injected into data cache", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-15089", }, { category: "external", summary: "RHBZ#1503610", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503610", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-15089", url: "https://www.cve.org/CVERecord?id=CVE-2017-15089", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-15089", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-15089", }, ], release_date: "2018-02-12T15:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "infinispan: Unsafe deserialization of malicious object injected into data cache", }, ], }
rhsa-2017:2809
Vulnerability from csaf_redhat
Published
2017-09-26 18:51
Modified
2025-04-09 16:39
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2809", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11484", url: "https://issues.redhat.com/browse/JBEAP-11484", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2809.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2025-04-09T16:39:58+00:00", generator: { date: "2025-04-09T16:39:58+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2809", initial_release_date: "2017-09-26T18:51:56+00:00", revision_history: [ { date: "2017-09-26T18:51:56+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T18:51:56+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:39:58+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el6?arch=x86_64", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el6?arch=i686", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=i686", }, }, }, ], category: "architecture", name: "i686", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-appclient@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ear@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-common@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ejb@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-web@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator-cdi@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-api@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-simple-schema@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-common@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-api@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-impl@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-impl@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-config@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-wildfly8@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-mail@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-pkix@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-prov@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-modules@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
rhsa-2017:2547
Vulnerability from csaf_redhat
Published
2017-08-29 19:40
Modified
2025-04-09 16:39
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.5 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.5 serves as a replacement for Red Hat JBoss BRMS 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.5 serves as a replacement for Red Hat JBoss BRMS 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2547", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", }, { category: "external", summary: "1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2547.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.5 security update", tracking: { current_release_date: "2025-04-09T16:39:12+00:00", generator: { date: "2025-04-09T16:39:12+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2547", initial_release_date: "2017-08-29T19:40:27+00:00", revision_history: [ { date: "2017-08-29T19:40:27+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-29T19:40:27+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:39:12+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.4", product: { name: "Red Hat JBoss BRMS 6.4", product_id: "Red Hat JBoss BRMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2017-5662", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2017-04-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443592", }, ], notes: [ { category: "description", text: "An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.", title: "Vulnerability description", }, { category: "summary", text: "batik: XML external entity processing vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5662", }, { category: "external", summary: "RHBZ#1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5662", url: "https://www.cve.org/CVERecord?id=CVE-2017-5662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", }, ], release_date: "2017-04-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: XML external entity processing vulnerability", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss BRMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, ], }
rhsa-2017_2808
Vulnerability from csaf_redhat
Published
2017-09-26 18:39
Modified
2024-12-15 18:47
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2808", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11485", url: "https://issues.redhat.com/browse/JBEAP-11485", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2808.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2024-12-15T18:47:30+00:00", generator: { date: "2024-12-15T18:47:30+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2017:2808", initial_release_date: "2017-09-26T18:39:54+00:00", revision_history: [ { date: "2017-09-26T18:39:54+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T18:39:54+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:47:30+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el7?arch=x86_64", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el7?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-appclient@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ear@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-common@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ejb@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-web@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator-cdi@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-api@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-simple-schema@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-common@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-api@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-impl@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-impl@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-config@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-wildfly8@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-mail@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-prov@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-pkix@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-modules@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
RHSA-2017:2546
Vulnerability from csaf_redhat
Published
2017-08-29 19:40
Modified
2025-04-09 16:39
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.5 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.5 serves as a replacement for Red Hat JBoss BPM Suite 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.5 serves as a replacement for Red Hat JBoss BPM Suite 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2546", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", }, { category: "external", summary: "1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2546.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.5 security update", tracking: { current_release_date: "2025-04-09T16:39:07+00:00", generator: { date: "2025-04-09T16:39:07+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2546", initial_release_date: "2017-08-29T19:40:38+00:00", revision_history: [ { date: "2017-08-29T19:40:38+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-29T19:40:38+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:39:07+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.4", product: { name: "Red Hat JBoss BPMS 6.4", product_id: "Red Hat JBoss BPMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.4", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2017-5662", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2017-04-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443592", }, ], notes: [ { category: "description", text: "An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.", title: "Vulnerability description", }, { category: "summary", text: "batik: XML external entity processing vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5662", }, { category: "external", summary: "RHBZ#1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5662", url: "https://www.cve.org/CVERecord?id=CVE-2017-5662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", }, ], release_date: "2017-04-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: XML external entity processing vulnerability", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss BPMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, ], }
rhsa-2017:2546
Vulnerability from csaf_redhat
Published
2017-08-29 19:40
Modified
2025-04-09 16:39
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.5 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.5 serves as a replacement for Red Hat JBoss BPM Suite 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.5 serves as a replacement for Red Hat JBoss BPM Suite 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2546", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", }, { category: "external", summary: "1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2546.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.5 security update", tracking: { current_release_date: "2025-04-09T16:39:07+00:00", generator: { date: "2025-04-09T16:39:07+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2546", initial_release_date: "2017-08-29T19:40:38+00:00", revision_history: [ { date: "2017-08-29T19:40:38+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-29T19:40:38+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:39:07+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.4", product: { name: "Red Hat JBoss BPMS 6.4", product_id: "Red Hat JBoss BPMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.4", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2017-5662", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2017-04-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443592", }, ], notes: [ { category: "description", text: "An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.", title: "Vulnerability description", }, { category: "summary", text: "batik: XML external entity processing vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5662", }, { category: "external", summary: "RHBZ#1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5662", url: "https://www.cve.org/CVERecord?id=CVE-2017-5662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", }, ], release_date: "2017-04-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: XML external entity processing vulnerability", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss BPMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, ], }
RHSA-2017:2905
Vulnerability from csaf_redhat
Published
2017-10-17 19:53
Modified
2025-01-26 20:07
Summary
Red Hat Security Advisory: rh-sso7-keycloak security update
Notes
Topic
An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2905", url: "https://access.redhat.com/errata/RHSA-2017:2905", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "RHSSO-1122", url: "https://issues.redhat.com/browse/RHSSO-1122", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2905.json", }, ], title: "Red Hat Security Advisory: rh-sso7-keycloak security update", tracking: { current_release_date: "2025-01-26T20:07:53+00:00", generator: { date: "2025-01-26T20:07:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2905", initial_release_date: "2017-10-17T19:53:19+00:00", revision_history: [ { date: "2017-10-17T19:53:19+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:53:19+00:00", number: "2", summary: "Last updated version", }, { date: "2025-01-26T20:07:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1 for RHEL 7 Server", product: { name: "Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1", product_identification_helper: { cpe: "cpe:/a:redhat:red_hat_single_sign_on:7::el7", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_id: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak-server@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", relates_to_product_reference: "7Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", }, product_reference: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-RHSSO-7.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
RHSA-2017:2810
Vulnerability from csaf_redhat
Published
2017-09-26 17:58
Modified
2025-04-09 17:22
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2810", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/", url: "https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2810.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2025-04-09T17:22:54+00:00", generator: { date: "2025-04-09T17:22:54+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2810", initial_release_date: "2017-09-26T17:58:02+00:00", revision_history: [ { date: "2017-09-26T17:58:02+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T17:58:02+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T17:22:54+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss EAP 7", product: { name: "Red Hat JBoss EAP 7", product_id: "Red Hat JBoss EAP 7", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss EAP 7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017:3141
Vulnerability from csaf_redhat
Published
2017-11-07 17:23
Modified
2025-04-09 16:40
Summary
Red Hat Security Advisory: rhvm-appliance security, bug fix, and enhancement update
Notes
Topic
An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.
The following packages have been upgraded to a later upstream version: rhvm-appliance (20171019.0). (BZ#1496586)
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.\n\nThe following packages have been upgraded to a later upstream version: rhvm-appliance (20171019.0). (BZ#1496586)\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:3141", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "1496586", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1496586", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3141.json", }, ], title: "Red Hat Security Advisory: rhvm-appliance security, bug fix, and enhancement update", tracking: { current_release_date: "2025-04-09T16:40:53+00:00", generator: { date: "2025-04-09T16:40:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:3141", initial_release_date: "2017-11-07T17:23:02+00:00", revision_history: [ { date: "2017-11-07T17:23:02+00:00", number: "1", summary: "Initial version", }, { date: "2017-11-07T17:23:02+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:40:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product: { name: "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::hypervisor", }, }, }, { category: "product_name", name: "Red Hat Virtualization 4 Hypervisor for RHEL 7", product: { name: "Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::hypervisor", }, }, }, ], category: "product_family", name: "Red Hat Virtualization", }, { branches: [ { category: "product_version", name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product_id: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/rhvm-appliance@4.1.20171102.0-1.el7?arch=src&epoch=1", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product_id: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rhvm-appliance@4.1.20171102.0-1.el7?arch=noarch&epoch=1", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", relates_to_product_reference: "7Server-RHEV-4-Agents-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", relates_to_product_reference: "7Server-RHEV-4-Agents-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", relates_to_product_reference: "7Server-RHEV-4-Hypervisor-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", relates_to_product_reference: "7Server-RHEV-4-Hypervisor-7", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
rhsa-2018:0294
Vulnerability from csaf_redhat
Published
2018-02-12 17:19
Modified
2025-04-09 16:40
Summary
Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1.2 security update
Notes
Topic
Red Hat JBoss Data Grid 7.1.2 is now available for download from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.
This release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Data Grid 7.1.2 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.\n\nThis release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2018:0294", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.2", }, { category: "external", summary: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/", url: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "1503610", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503610", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_0294.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Data Grid 7.1.2 security update", tracking: { current_release_date: "2025-04-09T16:40:52+00:00", generator: { date: "2025-04-09T16:40:52+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2018:0294", initial_release_date: "2018-02-12T17:19:54+00:00", revision_history: [ { date: "2018-02-12T17:19:54+00:00", number: "1", summary: "Initial version", }, { date: "2018-02-12T17:19:54+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:40:52+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Data Grid 7.1", product: { name: "Red Hat JBoss Data Grid 7.1", product_id: "Red Hat JBoss Data Grid 7.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:7.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, { acknowledgments: [ { names: [ "Man Yue Mo", ], organization: "Semmle/lgtm.com", }, ], cve: "CVE-2017-15089", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-10-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503610", }, ], notes: [ { category: "description", text: "It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "infinispan: Unsafe deserialization of malicious object injected into data cache", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Data Grid 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-15089", }, { category: "external", summary: "RHBZ#1503610", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503610", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-15089", url: "https://www.cve.org/CVERecord?id=CVE-2017-15089", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-15089", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-15089", }, ], release_date: "2018-02-12T15:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2018-02-12T17:19:54+00:00", details: "The References section of this erratum contains a download link (you must log in to download the update).\n\nBefore applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on).", product_ids: [ "Red Hat JBoss Data Grid 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2018:0294", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Data Grid 7.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "infinispan: Unsafe deserialization of malicious object injected into data cache", }, ], }
rhsa-2017:2811
Vulnerability from csaf_redhat
Published
2017-09-26 19:14
Modified
2025-04-09 17:22
Summary
Red Hat Security Advisory: eap7-jboss-ec2-eap security update
Notes
Topic
An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).
With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8.
Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8.\n\nRefer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2811", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11487", url: "https://issues.redhat.com/browse/JBEAP-11487", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2811.json", }, ], title: "Red Hat Security Advisory: eap7-jboss-ec2-eap security update", tracking: { current_release_date: "2025-04-09T17:22:37+00:00", generator: { date: "2025-04-09T17:22:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2811", initial_release_date: "2017-09-26T19:14:16+00:00", revision_history: [ { date: "2017-09-26T19:14:16+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T19:14:16+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T17:22:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", }, }, }, { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_id: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap-samples@7.0.8-1.GA_redhat_1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_id: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap-samples@7.0.8-1.GA_redhat_1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", }, product_reference: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", }, product_reference: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017_2546
Vulnerability from csaf_redhat
Published
2017-08-29 19:40
Modified
2024-11-22 11:19
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.5 security update
Notes
Topic
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.5 serves as a replacement for Red Hat JBoss BPM Suite 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BPM Suite.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.4.5 serves as a replacement for Red Hat JBoss BPM Suite 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2546", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", }, { category: "external", summary: "1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2546.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.4.5 security update", tracking: { current_release_date: "2024-11-22T11:19:12+00:00", generator: { date: "2024-11-22T11:19:12+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2546", initial_release_date: "2017-08-29T19:40:38+00:00", revision_history: [ { date: "2017-08-29T19:40:38+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-29T19:40:38+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:19:12+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.4", product: { name: "Red Hat JBoss BPMS 6.4", product_id: "Red Hat JBoss BPMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.4", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2017-5662", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2017-04-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443592", }, ], notes: [ { category: "description", text: "An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.", title: "Vulnerability description", }, { category: "summary", text: "batik: XML external entity processing vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5662", }, { category: "external", summary: "RHBZ#1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5662", url: "https://www.cve.org/CVERecord?id=CVE-2017-5662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", }, ], release_date: "2017-04-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: XML external entity processing vulnerability", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BPMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss BPMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BPMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, ], }
rhsa-2017_2547
Vulnerability from csaf_redhat
Published
2017-08-29 19:40
Modified
2024-11-22 11:19
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.5 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.5 serves as a replacement for Red Hat JBoss BRMS 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.5 serves as a replacement for Red Hat JBoss BRMS 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2547", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", }, { category: "external", summary: "1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2547.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.5 security update", tracking: { current_release_date: "2024-11-22T11:19:16+00:00", generator: { date: "2024-11-22T11:19:16+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2547", initial_release_date: "2017-08-29T19:40:27+00:00", revision_history: [ { date: "2017-08-29T19:40:27+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-29T19:40:27+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:19:16+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.4", product: { name: "Red Hat JBoss BRMS 6.4", product_id: "Red Hat JBoss BRMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2017-5662", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2017-04-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443592", }, ], notes: [ { category: "description", text: "An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.", title: "Vulnerability description", }, { category: "summary", text: "batik: XML external entity processing vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5662", }, { category: "external", summary: "RHBZ#1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5662", url: "https://www.cve.org/CVERecord?id=CVE-2017-5662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", }, ], release_date: "2017-04-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: XML external entity processing vulnerability", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss BRMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, ], }
RHSA-2017:2904
Vulnerability from csaf_redhat
Published
2017-10-17 19:53
Modified
2025-01-26 20:07
Summary
Red Hat Security Advisory: rh-sso7-keycloak security update
Notes
Topic
An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2904", url: "https://access.redhat.com/errata/RHSA-2017:2904", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "RHSSO-1121", url: "https://issues.redhat.com/browse/RHSSO-1121", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2904.json", }, ], title: "Red Hat Security Advisory: rh-sso7-keycloak security update", tracking: { current_release_date: "2025-01-26T20:07:47+00:00", generator: { date: "2025-01-26T20:07:47+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2904", initial_release_date: "2017-10-17T19:53:00+00:00", revision_history: [ { date: "2017-10-17T19:53:00+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:53:00+00:00", number: "2", summary: "Last updated version", }, { date: "2025-01-26T20:07:47+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1 for RHEL 6 Server", product: { name: "Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1", product_identification_helper: { cpe: "cpe:/a:redhat:red_hat_single_sign_on:7::el6", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_id: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak-server@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", relates_to_product_reference: "6Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", }, product_reference: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-RHSSO-7.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
rhsa-2017:2905
Vulnerability from csaf_redhat
Published
2017-10-17 19:53
Modified
2025-01-26 20:07
Summary
Red Hat Security Advisory: rh-sso7-keycloak security update
Notes
Topic
An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2905", url: "https://access.redhat.com/errata/RHSA-2017:2905", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "RHSSO-1122", url: "https://issues.redhat.com/browse/RHSSO-1122", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2905.json", }, ], title: "Red Hat Security Advisory: rh-sso7-keycloak security update", tracking: { current_release_date: "2025-01-26T20:07:53+00:00", generator: { date: "2025-01-26T20:07:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2905", initial_release_date: "2017-10-17T19:53:19+00:00", revision_history: [ { date: "2017-10-17T19:53:19+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:53:19+00:00", number: "2", summary: "Last updated version", }, { date: "2025-01-26T20:07:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1 for RHEL 7 Server", product: { name: "Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1", product_identification_helper: { cpe: "cpe:/a:redhat:red_hat_single_sign_on:7::el7", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_id: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak-server@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", relates_to_product_reference: "7Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 7 Server", product_id: "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", }, product_reference: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-RHSSO-7.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:19+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2905", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", "7Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.src", "7Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
RHSA-2017:2809
Vulnerability from csaf_redhat
Published
2017-09-26 18:51
Modified
2025-04-09 16:39
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2809", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11484", url: "https://issues.redhat.com/browse/JBEAP-11484", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2809.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2025-04-09T16:39:58+00:00", generator: { date: "2025-04-09T16:39:58+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2809", initial_release_date: "2017-09-26T18:51:56+00:00", revision_history: [ { date: "2017-09-26T18:51:56+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T18:51:56+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:39:58+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el6?arch=x86_64", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el6?arch=i686", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=i686", }, }, }, ], category: "architecture", name: "i686", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-appclient@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ear@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-common@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ejb@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-web@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator-cdi@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-api@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-simple-schema@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-common@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-api@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-impl@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-impl@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-config@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-wildfly8@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-mail@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-pkix@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-prov@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-modules@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
rhsa-2017:2906
Vulnerability from csaf_redhat
Published
2017-10-17 19:42
Modified
2025-01-26 20:08
Summary
Red Hat Security Advisory: Red Hat Single Sign-On security update
Notes
Topic
Red Hat Single Sign-On 7.1.3 is now available for download from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.1 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. The Node.js adapter provides a simple module for authentication and authorization in Node.js applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Single Sign-On 7.1.3 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On 7.1 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. The Node.js adapter provides a simple module for authentication and authorization in Node.js applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2906", url: "https://access.redhat.com/errata/RHSA-2017:2906", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.1", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.1", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2906.json", }, ], title: "Red Hat Security Advisory: Red Hat Single Sign-On security update", tracking: { current_release_date: "2025-01-26T20:08:09+00:00", generator: { date: "2025-01-26T20:08:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2906", initial_release_date: "2017-10-17T19:42:35+00:00", revision_history: [ { date: "2017-10-17T19:42:35+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:42:35+00:00", number: "2", summary: "Last updated version", }, { date: "2025-01-26T20:08:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1", product: { name: "Red Hat Single Sign-On 7.1", product_id: "Red Hat Single Sign-On 7.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_single_sign_on:7.1", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
RHSA-2017:3141
Vulnerability from csaf_redhat
Published
2017-11-07 17:23
Modified
2025-04-09 16:40
Summary
Red Hat Security Advisory: rhvm-appliance security, bug fix, and enhancement update
Notes
Topic
An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.
The following packages have been upgraded to a later upstream version: rhvm-appliance (20171019.0). (BZ#1496586)
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rhvm-appliance is now available for RHEV 4.X RHEV-H and Agents for RHEL-7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal.\n\nThe following packages have been upgraded to a later upstream version: rhvm-appliance (20171019.0). (BZ#1496586)\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525. The CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:3141", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "1496586", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1496586", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_3141.json", }, ], title: "Red Hat Security Advisory: rhvm-appliance security, bug fix, and enhancement update", tracking: { current_release_date: "2025-04-09T16:40:53+00:00", generator: { date: "2025-04-09T16:40:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:3141", initial_release_date: "2017-11-07T17:23:02+00:00", revision_history: [ { date: "2017-11-07T17:23:02+00:00", number: "1", summary: "Initial version", }, { date: "2017-11-07T17:23:02+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:40:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product: { name: "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::hypervisor", }, }, }, { category: "product_name", name: "Red Hat Virtualization 4 Hypervisor for RHEL 7", product: { name: "Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::hypervisor", }, }, }, ], category: "product_family", name: "Red Hat Virtualization", }, { branches: [ { category: "product_version", name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product_id: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/rhvm-appliance@4.1.20171102.0-1.el7?arch=src&epoch=1", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product_id: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rhvm-appliance@4.1.20171102.0-1.el7?arch=noarch&epoch=1", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", relates_to_product_reference: "7Server-RHEV-4-Agents-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts", product_id: "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", relates_to_product_reference: "7Server-RHEV-4-Agents-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", relates_to_product_reference: "7Server-RHEV-4-Hypervisor-7", }, { category: "default_component_of", full_product_name: { name: "rhvm-appliance-1:4.1.20171102.0-1.el7.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 7", product_id: "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", }, product_reference: "rhvm-appliance-1:4.1.20171102.0-1.el7.src", relates_to_product_reference: "7Server-RHEV-4-Hypervisor-7", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-11-07T17:23:02+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:3141", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Agents-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.noarch", "7Server-RHEV-4-Hypervisor-7:rhvm-appliance-1:4.1.20171102.0-1.el7.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
rhsa-2017:2808
Vulnerability from csaf_redhat
Published
2017-09-26 18:39
Modified
2025-04-09 16:40
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2808", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11485", url: "https://issues.redhat.com/browse/JBEAP-11485", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2808.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2025-04-09T16:40:04+00:00", generator: { date: "2025-04-09T16:40:04+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2808", initial_release_date: "2017-09-26T18:39:54+00:00", revision_history: [ { date: "2017-09-26T18:39:54+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T18:39:54+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:40:04+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el7?arch=x86_64", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el7?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-appclient@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ear@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-common@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ejb@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-web@10.0.2-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator-cdi@5.2.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-api@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-simple-schema@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-common@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-api@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-impl@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-impl@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-config@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_id: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-wildfly8@2.5.5-9.SP8_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-mail@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-prov@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_id: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-pkix@1.56.0-3.redhat_2.2.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-modules@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", }, product_reference: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", }, product_reference: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:39:54+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2808", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.src", "7Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el7.x86_64", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el7.src", "7Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
rhsa-2017_2811
Vulnerability from csaf_redhat
Published
2017-09-26 19:14
Modified
2024-12-15 18:47
Summary
Red Hat Security Advisory: eap7-jboss-ec2-eap security update
Notes
Topic
An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).
With this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8.
Refer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).\n\nWith this update, the eap7-jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 7.0.8.\n\nRefer to the JBoss Enterprise Application Platform 7.0.8 Release Notes, linked to in the References section, for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2811", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11487", url: "https://issues.redhat.com/browse/JBEAP-11487", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2811.json", }, ], title: "Red Hat Security Advisory: eap7-jboss-ec2-eap security update", tracking: { current_release_date: "2024-12-15T18:47:35+00:00", generator: { date: "2024-12-15T18:47:35+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2017:2811", initial_release_date: "2017-09-26T19:14:16+00:00", revision_history: [ { date: "2017-09-26T19:14:16+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T19:14:16+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:47:35+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el7", }, }, }, { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_id: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap-samples@7.0.8-1.GA_redhat_1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_id: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap-samples@7.0.8-1.GA_redhat_1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product_id: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-ec2-eap@7.0.8-1.GA_redhat_1.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", }, product_reference: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", }, product_reference: "eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", relates_to_product_reference: "7Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server", product_id: "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", }, product_reference: "eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", relates_to_product_reference: "7Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T19:14:16+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el6.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-0:7.0.8-1.GA_redhat_1.ep7.el7.src", "7Server-JBEAP-7.0:eap7-jboss-ec2-eap-samples-0:7.0.8-1.GA_redhat_1.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
rhsa-2017:2904
Vulnerability from csaf_redhat
Published
2017-10-17 19:53
Modified
2025-01-26 20:07
Summary
Red Hat Security Advisory: rh-sso7-keycloak security update
Notes
Topic
An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2904", url: "https://access.redhat.com/errata/RHSA-2017:2904", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "RHSSO-1121", url: "https://issues.redhat.com/browse/RHSSO-1121", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2904.json", }, ], title: "Red Hat Security Advisory: rh-sso7-keycloak security update", tracking: { current_release_date: "2025-01-26T20:07:47+00:00", generator: { date: "2025-01-26T20:07:47+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2904", initial_release_date: "2017-10-17T19:53:00+00:00", revision_history: [ { date: "2017-10-17T19:53:00+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:53:00+00:00", number: "2", summary: "Last updated version", }, { date: "2025-01-26T20:07:47+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1 for RHEL 6 Server", product: { name: "Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1", product_identification_helper: { cpe: "cpe:/a:redhat:red_hat_single_sign_on:7::el6", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_id: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak-server@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", relates_to_product_reference: "6Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", }, product_reference: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-RHSSO-7.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
RHSA-2017:2906
Vulnerability from csaf_redhat
Published
2017-10-17 19:42
Modified
2025-01-26 20:08
Summary
Red Hat Security Advisory: Red Hat Single Sign-On security update
Notes
Topic
Red Hat Single Sign-On 7.1.3 is now available for download from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.1 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. The Node.js adapter provides a simple module for authentication and authorization in Node.js applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Single Sign-On 7.1.3 is now available for download from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On 7.1 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. The Node.js adapter provides a simple module for authentication and authorization in Node.js applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2906", url: "https://access.redhat.com/errata/RHSA-2017:2906", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.1", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.1", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2906.json", }, ], title: "Red Hat Security Advisory: Red Hat Single Sign-On security update", tracking: { current_release_date: "2025-01-26T20:08:09+00:00", generator: { date: "2025-01-26T20:08:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:2906", initial_release_date: "2017-10-17T19:42:35+00:00", revision_history: [ { date: "2017-10-17T19:42:35+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:42:35+00:00", number: "2", summary: "Last updated version", }, { date: "2025-01-26T20:08:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1", product: { name: "Red Hat Single Sign-On 7.1", product_id: "Red Hat Single Sign-On 7.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_single_sign_on:7.1", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Single Sign-On 7.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:42:35+00:00", details: "Before applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on.\n\nThe References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat Single Sign-On 7.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat Single Sign-On 7.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
RHSA-2017:2547
Vulnerability from csaf_redhat
Published
2017-08-29 19:40
Modified
2025-04-09 16:39
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.5 security update
Notes
Topic
An update is now available for Red Hat JBoss BRMS.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.4.5 serves as a replacement for Red Hat JBoss BRMS 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss BRMS.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.4.5 serves as a replacement for Red Hat JBoss BRMS 6.4.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack. (CVE-2017-5662)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2547", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.4", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-brms/", }, { category: "external", summary: "1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2547.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.4.5 security update", tracking: { current_release_date: "2025-04-09T16:39:12+00:00", generator: { date: "2025-04-09T16:39:12+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2547", initial_release_date: "2017-08-29T19:40:27+00:00", revision_history: [ { date: "2017-08-29T19:40:27+00:00", number: "1", summary: "Initial version", }, { date: "2017-08-29T19:40:27+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T16:39:12+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.4", product: { name: "Red Hat JBoss BRMS 6.4", product_id: "Red Hat JBoss BRMS 6.4", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_brms_platform:6.4", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2017-5662", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2017-04-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443592", }, ], notes: [ { category: "description", text: "An XXE vulnerability was found in Apache Batik which could allow a remote attacker to retrieve the files on the vulnerable server's filesystem by uploading specially crafted SVG images. The vulnerability could also allow a denial of service condition by performing an amplification attack.", title: "Vulnerability description", }, { category: "summary", text: "batik: XML external entity processing vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The batik package is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after updating to Red Hat Virtualization 4.1.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5662", }, { category: "external", summary: "RHBZ#1443592", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443592", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5662", url: "https://www.cve.org/CVERecord?id=CVE-2017-5662", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5662", }, ], release_date: "2017-04-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: XML external entity processing vulnerability", }, { acknowledgments: [ { names: [ "Liao Xinxi", ], organization: "NSFOCUS", }, ], cve: "CVE-2017-7525", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2017-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1462702", }, ], notes: [ { category: "description", text: "A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the versions of jackson-databind (in Satellite 6.0 and 6.1) and candlepin (which embeds a copy of jackson-databind in Satellite 6.2) as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time:\n\nCandlepin currently uses the default type resolution configuration for the ObjectMappers it creates/uses. Nowhere in candlepin do we enable global polymorphic deserialization via enableDefaultTyping(...), therefore based on the documentation sited BZ 1462702 , candlepin should not be affected.\n\nHowever as the vulnerable software ships with the product we have marked them as vulnerable to ensure the issue is tracked.\n\nJBoss EAP 7.x only uses the vulnerable Jackson Databind library for marshalling and unmarshalling of JSON objects passed to JAX-RS webservices. Some advise about how to remain safe when using JAX-RS webservices on JBoss EAP 7.x is available here: \n\nhttps://access.redhat.com/solutions/3279231\n\nAlthough JBoss Fuse ships the vulnerable version of jackson-databind, it does not call on enableDefaultTyping() for any polymorphic deserialization operations which is the root cause of this vulnerability. We have raised a Jira tracker to ensure that jackson-databind will be upgraded for Fuse 7.0, however due to feasibility issues jackson-databind cannot be upgraded in JBoss Fuse 6.3.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7525", }, { category: "external", summary: "RHBZ#1462702", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1462702", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7525", url: "https://www.cve.org/CVERecord?id=CVE-2017-7525", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7525", }, ], release_date: "2017-07-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-08-29T19:40:27+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss BRMS 6.4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { category: "workaround", details: "Mitigation to this problem is to not trigger polymorphic desrialization globally by using: objectMapper.enableDefaultTyping() and rather use @JsonTypeInfo on the class property to explicitly define the type information. For more information on this issue please refer to https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true", product_ids: [ "Red Hat JBoss BRMS 6.4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss BRMS 6.4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper", }, ], }
rhsa-2017_2904
Vulnerability from csaf_redhat
Published
2017-10-17 19:53
Modified
2024-11-22 11:32
Summary
Red Hat Security Advisory: rh-sso7-keycloak security update
Notes
Topic
An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.
Security Fix(es):
* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)
* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)
* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)
* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)
Red Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for rh-sso7-keycloak is now available for Red Hat Single Sign-On 7.1 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.1.3 serves as a replacement for Red Hat Single Sign-On 7.1.2, and includes several bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section.\n\nSecurity Fix(es):\n\n* It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. (CVE-2017-12158)\n\n* It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. (CVE-2017-12159)\n\n* It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information. (CVE-2017-12197)\n\n* It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks. (CVE-2017-12160)\n\nRed Hat would like to thank Mykhailo Stadnyk (Playtech) for reporting CVE-2017-12158; Prapti Mittal for reporting CVE-2017-12159; and Bart Toersche (Simacan) for reporting CVE-2017-12160. The CVE-2017-12197 issue was discovered by Christian Heimes (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2904", url: "https://access.redhat.com/errata/RHSA-2017:2904", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/", }, { category: "external", summary: "1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "RHSSO-1121", url: "https://issues.redhat.com/browse/RHSSO-1121", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2904.json", }, ], title: "Red Hat Security Advisory: rh-sso7-keycloak security update", tracking: { current_release_date: "2024-11-22T11:32:41+00:00", generator: { date: "2024-11-22T11:32:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2017:2904", initial_release_date: "2017-10-17T19:53:00+00:00", revision_history: [ { date: "2017-10-17T19:53:00+00:00", number: "1", summary: "Initial version", }, { date: "2017-10-17T19:53:00+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T11:32:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Single Sign-On 7.1 for RHEL 6 Server", product: { name: "Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1", product_identification_helper: { cpe: "cpe:/a:redhat:red_hat_single_sign_on:7::el6", }, }, }, ], category: "product_family", name: "Red Hat Single Sign-On", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_id: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak-server@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product_id: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/rh-sso7-keycloak@2.5.14-1.Final_redhat_1.1.jbcs.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", }, product_reference: "rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", relates_to_product_reference: "6Server-RHSSO-7.1", }, { category: "default_component_of", full_product_name: { name: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch as a component of Red Hat Single Sign-On 7.1 for RHEL 6 Server", product_id: "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", }, product_reference: "rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-RHSSO-7.1", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { acknowledgments: [ { names: [ "Mykhailo Stadnyk", ], organization: "Playtech", }, ], cve: "CVE-2017-12158", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2017-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1489161", }, ], notes: [ { category: "description", text: "It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: reflected XSS using HOST header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12158", }, { category: "external", summary: "RHBZ#1489161", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1489161", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12158", url: "https://www.cve.org/CVERecord?id=CVE-2017-12158", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12158", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: reflected XSS using HOST header", }, { acknowledgments: [ { names: [ "Prapti Mittal", ], }, ], cve: "CVE-2017-12159", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484111", }, ], notes: [ { category: "description", text: "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: CSRF token fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12159", }, { category: "external", summary: "RHBZ#1484111", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484111", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12159", url: "https://www.cve.org/CVERecord?id=CVE-2017-12159", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12159", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: CSRF token fixation", }, { acknowledgments: [ { names: [ "Bart Toersche", ], organization: "Simacan", }, ], cve: "CVE-2017-12160", cwe: { id: "CWE-285", name: "Improper Authorization", }, discovery_date: "2017-08-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1484154", }, ], notes: [ { category: "description", text: "It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: resource privilege extension via access token in oauth", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12160", }, { category: "external", summary: "RHBZ#1484154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1484154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12160", url: "https://www.cve.org/CVERecord?id=CVE-2017-12160", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12160", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "keycloak: resource privilege extension via access token in oauth", }, { acknowledgments: [ { names: [ "Christian Heimes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-12197", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2017-09-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1503103", }, ], notes: [ { category: "description", text: "It was found that libpam4j did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", title: "Vulnerability description", }, { category: "summary", text: "libpam4j: Account check bypass", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-12197", }, { category: "external", summary: "RHBZ#1503103", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1503103", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-12197", url: "https://www.cve.org/CVERecord?id=CVE-2017-12197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-12197", }, ], release_date: "2017-10-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-10-17T19:53:00+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2904", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", "6Server-RHSSO-7.1:rh-sso7-keycloak-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.src", "6Server-RHSSO-7.1:rh-sso7-keycloak-server-0:2.5.14-1.Final_redhat_1.1.jbcs.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "libpam4j: Account check bypass", }, ], }
rhsa-2017_2809
Vulnerability from csaf_redhat
Published
2017-09-26 18:51
Modified
2024-12-15 18:47
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform 7.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2809", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "JBEAP-11484", url: "https://issues.redhat.com/browse/JBEAP-11484", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2809.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2024-12-15T18:47:23+00:00", generator: { date: "2024-12-15T18:47:23+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2017:2809", initial_release_date: "2017-09-26T18:51:56+00:00", revision_history: [ { date: "2017-09-26T18:51:56+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T18:51:56+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:47:23+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product: { name: "Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el6?arch=x86_64", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product_id: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native-wildfly@1.1.0-13.redhat_4.ep7.el6?arch=i686", }, }, }, { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=i686", }, }, }, ], category: "architecture", name: "i686", }, { branches: [ { category: "product_version", name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product_id: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-artemis-native@1.1.0-13.redhat_4.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-log4j-jboss-logmanager@1.1.4-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-appclient@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ear@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-common@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-ejb@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-metadata-web@10.0.2-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-logmanager@2.0.7-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-hibernate-validator-cdi@5.2.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remoting@4.0.24-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-federation@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-api@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-simple-schema@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-common@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-api@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-idm-impl@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-impl@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-config@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-wildfly8@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_id: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-picketlink-bindings@2.5.5-9.SP8_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product_id: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jasypt@1.9.2-2.redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-mail@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-pkix@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_id: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-bouncycastle-prov@1.56.0-3.redhat_2.2.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-remote-naming@2.0.5-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-jboss-jms-api_2.0_spec@1.0.1-2.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product_id: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-undertow@1.3.31-1.Final_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-javadocs@7.0.8-1.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly-modules@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_id: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/eap7-wildfly@7.0.8-4.GA_redhat_1.1.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", }, product_reference: "eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64 as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", }, product_reference: "eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", }, product_reference: "eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", }, product_reference: "eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", }, product_reference: "eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", }, product_reference: "eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", relates_to_product_reference: "6Server-JBEAP-7.0", }, { category: "default_component_of", full_product_name: { name: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server", product_id: "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", }, product_reference: "eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JBEAP-7.0", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T18:51:56+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2809", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.src", "6Server-JBEAP-7.0:eap7-artemis-native-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.i686", "6Server-JBEAP-7.0:eap7-artemis-native-wildfly-0:1.1.0-13.redhat_4.ep7.el6.x86_64", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-0:1.56.0-3.redhat_2.2.ep7.el6.src", "6Server-JBEAP-7.0:eap7-bouncycastle-mail-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-pkix-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-bouncycastle-prov-0:1.56.0-3.redhat_2.2.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-hibernate-validator-0:5.2.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-hibernate-validator-cdi-0:5.2.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jasypt-0:1.9.2-2.redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-jms-api_2.0_spec-0:1.0.1-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-logmanager-0:2.0.7-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-0:10.0.2-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-metadata-appclient-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-common-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ear-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-ejb-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-metadata-web-0:10.0.2-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remote-naming-0:2.0.5-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-jboss-remoting-0:4.0.24-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-log4j-jboss-logmanager-0:1.1.4-2.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-bindings-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-common-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-config-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-federation-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-picketlink-idm-api-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-idm-simple-schema-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-impl-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-picketlink-wildfly8-0:2.5.5-9.SP8_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-undertow-0:1.3.31-1.Final_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-0:7.0.8-4.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.noarch", "6Server-JBEAP-7.0:eap7-wildfly-javadocs-0:7.0.8-1.GA_redhat_1.1.ep7.el6.src", "6Server-JBEAP-7.0:eap7-wildfly-modules-0:7.0.8-4.GA_redhat_1.1.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, ], }
rhsa-2017:2810
Vulnerability from csaf_redhat
Published
2017-09-26 17:58
Modified
2025-04-09 17:22
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)
The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Enterprise Application Platform.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.0.8 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). (CVE-2017-7536)\n\nThe CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was discovered by Gunnar Morling (Red Hat).", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:2810", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { category: "external", summary: "https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/", url: "https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/", }, { category: "external", summary: "1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2810.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update", tracking: { current_release_date: "2025-04-09T17:22:54+00:00", generator: { date: "2025-04-09T17:22:54+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2017:2810", initial_release_date: "2017-09-26T17:58:02+00:00", revision_history: [ { date: "2017-09-26T17:58:02+00:00", number: "1", summary: "Initial version", }, { date: "2017-09-26T17:58:02+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T17:22:54+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss EAP 7", product: { name: "Red Hat JBoss EAP 7", product_id: "Red Hat JBoss EAP 7", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Enterprise Application Platform", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2014-9970", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2017-05-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1455566", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison.", title: "Vulnerability description", }, { category: "summary", text: "jasypt: Vulnerable to timing attack against the password hash comparison", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-9970", }, { category: "external", summary: "RHBZ#1455566", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1455566", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-9970", url: "https://www.cve.org/CVERecord?id=CVE-2014-9970", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", }, ], release_date: "2017-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jasypt: Vulnerable to timing attack against the password hash comparison", }, { cve: "CVE-2015-6644", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2017-04-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1444015", }, ], notes: [ { category: "description", text: "It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: Information disclosure in GCMBlockCipher", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-6644", }, { category: "external", summary: "RHBZ#1444015", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1444015", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-6644", url: "https://www.cve.org/CVERecord?id=CVE-2015-6644", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-6644", }, ], release_date: "2016-01-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: Information disclosure in GCMBlockCipher", }, { acknowledgments: [ { names: [ "Hynek Mlnarik", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-2582", cwe: { id: "CWE-201", name: "Insertion of Sensitive Information Into Sent Data", }, discovery_date: "2017-01-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1410481", }, ], notes: [ { category: "description", text: "It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the \"InResponseTo\" field in the response.", title: "Vulnerability description", }, { category: "summary", text: "keycloak: SAML request parser replaces special strings with system properties", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-2582", }, { category: "external", summary: "RHBZ#1410481", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1410481", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-2582", url: "https://www.cve.org/CVERecord?id=CVE-2017-2582", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-2582", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "keycloak: SAML request parser replaces special strings with system properties", }, { cve: "CVE-2017-5645", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2017-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1443635", }, ], notes: [ { category: "description", text: "It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.", title: "Vulnerability description", }, { category: "summary", text: "log4j: Socket receiver deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "The flaw in Log4j-1.x is now identified by CVE-2019-17571. CVE-2017-5645 has been assigned by MITRE to a similar flaw identified in Log4j-2.x", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-5645", }, { category: "external", summary: "RHBZ#1443635", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1443635", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-5645", url: "https://www.cve.org/CVERecord?id=CVE-2017-5645", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-5645", }, ], release_date: "2017-04-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: Socket receiver deserialization vulnerability", }, { acknowledgments: [ { names: [ "Gunnar Morling", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2017-7536", discovery_date: "2017-06-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1465573", }, ], notes: [ { category: "description", text: "It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().", title: "Vulnerability description", }, { category: "summary", text: "hibernate-validator: Privilege escalation when running under the security manager", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2017-7536", }, { category: "external", summary: "RHBZ#1465573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1465573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2017-7536", url: "https://www.cve.org/CVERecord?id=CVE-2017-7536", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", url: "https://nvd.nist.gov/vuln/detail/CVE-2017-7536", }, ], release_date: "2017-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "hibernate-validator: Privilege escalation when running under the security manager", }, { cve: "CVE-2019-17571", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1785616", }, ], notes: [ { category: "description", text: "A flaw was discovered in Log4j, where a vulnerable SocketServer class may lead to the deserialization of untrusted data. This flaw allows an attacker to remotely execute arbitrary code when combined with a deserialization gadget.", title: "Vulnerability description", }, { category: "summary", text: "log4j: deserialization of untrusted data in SocketServer", title: "Vulnerability summary", }, { category: "other", text: "This is the same issue as CVE-2017-5645. MITRE has CVE-2017-5645 to a similar flaw found in log4j-2.x. The flaw found in log4j-1.2 has been assigned CVE-2019-17571. CVE-2019-17571 has been addressed in Red Hat Enterprise Linux via RHSA-2017:2423.\nAlso the rh-java-common-log4j package shipped with Red Hat Software Collections was addressed via RHSA-2017:1417\n\nIn Satellite 5.8, although the version of log4j as shipped in the nutch package is affected, nutch does not load any of the SocketServer classes from log4j. Satellite 5 is considered not vulnerable to this flaw since the affected code can not be reached.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss EAP 7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-17571", }, { category: "external", summary: "RHBZ#1785616", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-17571", url: "https://www.cve.org/CVERecord?id=CVE-2019-17571", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", }, ], release_date: "2019-12-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-09-26T17:58:02+00:00", details: "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss EAP 7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { category: "workaround", details: "Please note that the Log4j upstream strongly recommends against using the SerializedLayout with the SocketAppenders. Customers may mitigate this issue by removing the SocketServer class outright; or if they must continue to use SocketAppenders, they can modify their SocketAppender configuration from SerializedLayout to use JsonLayout instead. An example of this in log4j-server.properties might look like this:\n\nlog4j.appender.file.layout=org.apache.log4j.JsonLayout", product_ids: [ "Red Hat JBoss EAP 7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat JBoss EAP 7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j: deserialization of untrusted data in SocketServer", }, ], }
gsd-2014-9970
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
Aliases
Aliases
{ GSD: { alias: "CVE-2014-9970", description: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", id: "GSD-2014-9970", references: [ "https://access.redhat.com/errata/RHSA-2018:0294", "https://access.redhat.com/errata/RHSA-2017:3141", "https://access.redhat.com/errata/RHSA-2017:2906", "https://access.redhat.com/errata/RHSA-2017:2905", "https://access.redhat.com/errata/RHSA-2017:2904", "https://access.redhat.com/errata/RHSA-2017:2811", "https://access.redhat.com/errata/RHSA-2017:2810", "https://access.redhat.com/errata/RHSA-2017:2809", "https://access.redhat.com/errata/RHSA-2017:2808", "https://access.redhat.com/errata/RHSA-2017:2547", "https://access.redhat.com/errata/RHSA-2017:2546", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2014-9970", ], details: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", id: "GSD-2014-9970", modified: "2023-12-13T01:22:48.694834Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-9970", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "1040360", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040360", }, { name: "RHSA-2017:2809", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "RHSA-2017:2547", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { name: "RHSA-2017:2810", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "1039744", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039744", }, { name: "RHSA-2018:0294", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { name: "RHSA-2017:2808", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "RHSA-2017:2546", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { name: "https://sourceforge.net/p/jasypt/code/668/", refsource: "CONFIRM", url: "https://sourceforge.net/p/jasypt/code/668/", }, { name: "RHSA-2017:3141", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { name: "RHSA-2017:2811", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,1.9.2)", affected_versions: "All versions before 1.9.2", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cvss_v3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-200", "CWE-937", ], date: "2022-07-06", description: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", fixed_versions: [ "1.9.2", ], identifier: "CVE-2014-9970", identifiers: [ "GHSA-r5c2-rxh2-f5h2", "CVE-2014-9970", ], not_impacted: "All versions starting from 1.9.2", package_slug: "maven/org.jasypt/jasypt", pubdate: "2022-05-14", solution: "Upgrade to version 1.9.2 or above.", title: "Exposure of Sensitive Information to an Unauthorized Actor", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2014-9970", "https://access.redhat.com/errata/RHSA-2017:2546", "https://access.redhat.com/errata/RHSA-2017:2547", "https://access.redhat.com/errata/RHSA-2017:2808", "https://access.redhat.com/errata/RHSA-2017:2809", "https://access.redhat.com/errata/RHSA-2017:2810", "https://access.redhat.com/errata/RHSA-2017:2811", "https://access.redhat.com/errata/RHSA-2017:3141", "https://access.redhat.com/errata/RHSA-2018:0294", "https://sourceforge.net/p/jasypt/code/668/", "https://github.com/advisories/GHSA-r5c2-rxh2-f5h2", ], uuid: "852f1a46-3f15-40c9-aa6a-7083c4a88634", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:jasypt_project:jasypt:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "1.9.1", vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-9970", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-200", }, ], }, ], }, references: { reference_data: [ { name: "https://sourceforge.net/p/jasypt/code/668/", refsource: "CONFIRM", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://sourceforge.net/p/jasypt/code/668/", }, { name: "1039744", refsource: "SECTRACK", tags: [], url: "http://www.securitytracker.com/id/1039744", }, { name: "RHSA-2017:3141", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { name: "RHSA-2017:2811", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { name: "RHSA-2017:2810", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "RHSA-2017:2809", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "RHSA-2017:2808", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "RHSA-2017:2547", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { name: "RHSA-2017:2546", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { name: "RHSA-2018:0294", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { name: "1040360", refsource: "SECTRACK", tags: [], url: "http://www.securitytracker.com/id/1040360", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, }, }, lastModifiedDate: "2018-02-14T02:29Z", publishedDate: "2017-05-21T18:29Z", }, }, }
fkie_cve-2014-9970
Vulnerability from fkie_nvd
Published
2017-05-21 18:29
Modified
2025-04-20 01:37
Severity ?
Summary
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jasypt_project | jasypt | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:jasypt_project:jasypt:*:*:*:*:*:*:*:*", matchCriteriaId: "CE8F4A27-C1BE-4759-AA43-FD9991FE98D5", versionEndIncluding: "1.9.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "jasypt before 1.9.2 allows a timing attack against the password hash comparison.", }, { lang: "es", value: "Jasypt en versiones anteriores a la 1.9.2 permite un ataque de sincronización contra la comparación del hash de la contraseña.", }, ], id: "CVE-2014-9970", lastModified: "2025-04-20T01:37:25.860", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-05-21T18:29:00.173", references: [ { source: "cve@mitre.org", url: "http://www.securitytracker.com/id/1039744", }, { source: "cve@mitre.org", url: "http://www.securitytracker.com/id/1040360", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { source: "cve@mitre.org", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { source: "cve@mitre.org", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://sourceforge.net/p/jasypt/code/668/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1039744", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securitytracker.com/id/1040360", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2546", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2547", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:3141", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2018:0294", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://sourceforge.net/p/jasypt/code/668/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.