[RHSA-2017:0170-01] Moderate: JBoss Enterprise Application Platform 7.0.4 on RHEL 6

bugzilla at redhat.com bugzilla at redhat.com
Wed Jan 18 22:14:51 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: JBoss Enterprise Application Platform 7.0.4 on RHEL 6
Advisory ID:       RHSA-2017:0170-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0170.html
Issue date:        2017-01-18
CVE Names:         CVE-2016-7061 CVE-2016-8627 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 7.0 for RHEL 6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server - noarch

3. Description:

This release of Red Hat JBoss Enterprise Application Platform 7.0.4 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.3,
and includes bug fixes and enhancements, which are documented in the
Release Notes, linked to in the References section.

Security Fix(es):

* An EAP feature to download server log files allows logs to be available
via GET requests making them vulnerable to cross-origin attacks. An
attacker could trigger the user's browser to request the log files
consuming enough resources that normal server functioning could be
impaired. (CVE-2016-8627)

* It was discovered that when configuring RBAC and marking information as
sensitive, users with a Monitor role are able to view the sensitive
information. (CVE-2016-7061)

The CVE-2016-8627 issue was discovered by Darran Lofthouse and Brian
Stansberry (Red Hat).

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1380852 - CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domain mode
1388240 - CVE-2016-8627 Potential EAP resource starvation DOS attack via GET requests for server log files

6. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-5960 - Tracker bug for the EAP 7.0.4 release for RHEL-6

7. Package List:

Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server:

Source:
eap7-apache-cxf-3.1.8-3.redhat_1.1.ep7.el6.src.rpm
eap7-infinispan-8.1.6-1.Final_redhat_1.1.ep7.el6.src.rpm
eap7-ironjacamar-1.3.5-1.Final_redhat_1.1.ep7.el6.src.rpm
eap7-jboss-aesh-0.66.12-1.redhat_1.1.ep7.el6.src.rpm
eap7-jboss-ejb-client-2.1.7-1.Final_redhat_1.1.ep7.el6.src.rpm
eap7-jboss-genericjms-1.0.8-2.Final_redhat_1.1.ep7.el6.src.rpm
eap7-jboss-transaction-spi-7.3.0-2.SP1_redhat_1.1.ep7.el6.src.rpm
eap7-jboss-xnio-base-3.4.1-2.Final_redhat_1.1.ep7.el6.src.rpm
eap7-narayana-5.2.21-1.Final_redhat_1.1.ep7.el6.src.rpm
eap7-picketlink-bindings-2.5.5-4.SP4_redhat_1.1.ep7.el6.src.rpm
eap7-picketlink-federation-2.5.5-4.SP4_redhat_1.1.ep7.el6.src.rpm
eap7-resteasy-3.0.19-2.Final_redhat_1.1.ep7.el6.src.rpm
eap7-wildfly-7.0.4-4.GA_redhat_2.1.ep7.el6.src.rpm
eap7-wildfly-javadocs-7.0.4-2.GA_redhat_3.1.ep7.el6.src.rpm
eap7-wildfly-web-console-eap-2.8.28-1.Final_redhat_1.1.ep7.el6.src.rpm
eap7-wss4j-2.1.7-2.redhat_1.1.ep7.el6.src.rpm
eap7-xml-security-2.0.7-2.redhat_1.1.ep7.el6.src.rpm

noarch:
eap7-apache-cxf-3.1.8-3.redhat_1.1.ep7.el6.noarch.rpm
eap7-apache-cxf-rt-3.1.8-3.redhat_1.1.ep7.el6.noarch.rpm
eap7-apache-cxf-services-3.1.8-3.redhat_1.1.ep7.el6.noarch.rpm
eap7-apache-cxf-tools-3.1.8-3.redhat_1.1.ep7.el6.noarch.rpm
eap7-infinispan-8.1.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-infinispan-cachestore-jdbc-8.1.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-infinispan-cachestore-remote-8.1.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-infinispan-client-hotrod-8.1.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-infinispan-commons-8.1.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-infinispan-core-8.1.6-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-common-api-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-common-impl-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-common-spi-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-core-api-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-core-impl-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-deployers-common-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-jdbc-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-ironjacamar-validator-1.3.5-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-jboss-aesh-0.66.12-1.redhat_1.1.ep7.el6.noarch.rpm
eap7-jboss-ejb-client-2.1.7-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-jboss-genericjms-1.0.8-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-jboss-transaction-spi-7.3.0-2.SP1_redhat_1.1.ep7.el6.noarch.rpm
eap7-jboss-xnio-base-3.4.1-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-compensations-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-jbosstxbridge-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-jbossxts-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-jts-idlj-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-jts-integration-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-restat-api-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-restat-bridge-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-restat-integration-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-restat-util-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-narayana-txframework-5.2.21-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-api-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-bindings-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-common-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-config-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-federation-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-idm-api-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-idm-impl-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-idm-simple-schema-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-impl-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-picketlink-wildfly8-2.5.5-4.SP4_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-async-http-servlet-3.0-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-atom-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-cdi-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-client-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-crypto-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-jackson-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-jackson2-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-jaxb-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-jaxrs-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-jettison-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-jose-jwt-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-jsapi-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-json-p-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-multipart-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-spring-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-validator-provider-11-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-resteasy-yaml-provider-3.0.19-2.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-wildfly-7.0.4-4.GA_redhat_2.1.ep7.el6.noarch.rpm
eap7-wildfly-javadocs-7.0.4-2.GA_redhat_3.1.ep7.el6.noarch.rpm
eap7-wildfly-modules-7.0.4-4.GA_redhat_2.1.ep7.el6.noarch.rpm
eap7-wildfly-web-console-eap-2.8.28-1.Final_redhat_1.1.ep7.el6.noarch.rpm
eap7-wss4j-2.1.7-2.redhat_1.1.ep7.el6.noarch.rpm
eap7-wss4j-bindings-2.1.7-2.redhat_1.1.ep7.el6.noarch.rpm
eap7-wss4j-policy-2.1.7-2.redhat_1.1.ep7.el6.noarch.rpm
eap7-wss4j-ws-security-common-2.1.7-2.redhat_1.1.ep7.el6.noarch.rpm
eap7-wss4j-ws-security-dom-2.1.7-2.redhat_1.1.ep7.el6.noarch.rpm
eap7-wss4j-ws-security-policy-stax-2.1.7-2.redhat_1.1.ep7.el6.noarch.rpm
eap7-wss4j-ws-security-stax-2.1.7-2.redhat_1.1.ep7.el6.noarch.rpm
eap7-xml-security-2.0.7-2.redhat_1.1.ep7.el6.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2016-7061
https://access.redhat.com/security/cve/CVE-2016-8627
https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/

9. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYf+jZXlSAg2UNWIIRAjI9AJ4ralojNC3L847xk5TcD54XaKSBFQCgpdhk
FKCw5G27aaC8clRz5yWxJ78=
=41uC
-----END PGP SIGNATURE-----




More information about the Jboss-watch-list mailing list