[RHSA-2020:2561-01] Critical: EAP Continuous Delivery Technical Preview Release 12 security update

Mon Jun 15 17:09:23 UTC 2020

This is a security update for JBoss EAP Continuous Delivery 12.0.

Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform CD12 is a platform for Java
applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform CD12 includes
bug fixes and enhancements. 

Security Fix(es):

* artemis: artemis/hornetq: memory exhaustion via UDP and JGroups discovery
(CVE-2017-12174)
* lucene: Solr: Code execution via entity expansion (CVE-2017-12629)
* infinispan-core: infinispan: Unsafe deserialization of malicious object
injected into data cache (CVE-2017-15089)
* slf4j: Deserialisation vulnerability in EventData constructor can allow
for arbitrary code execution (CVE-2018-8088)
* elytron: client can use bogus uri in digest authentication
(CVE-2017-12196)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

You must restart the JBoss server process for the update to take effect.

The References section of this erratum contains a download link (you must
log in to download the update)

4. Bugs fixed (https://bugzilla.redhat.com/):

1498378 - CVE-2017-12174 artemis/hornetq: memory exhaustion via UDP and JGroups discovery
1501529 - CVE-2017-12629 Solr: Code execution via entity expansion
1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication
1503610 - CVE-2017-15089 infinispan: Unsafe deserialization of malicious object injected into data cache
1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution

5. References:

https://access.redhat.com/security/cve/CVE-2017-12174
https://access.redhat.com/security/cve/CVE-2017-12196
https://access.redhat.com/security/cve/CVE-2017-12629
https://access.redhat.com/security/cve/CVE-2017-15089
https://access.redhat.com/security/cve/CVE-2018-8088
https://access.redhat.com/security/updates/classification/#critical

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXuerPtzjgjWX9erEAQgCkA//fN8OaspSHgLAnFgnSsHPHaOanomERmo/
KQTFe0eUohwOjqsuZRy7d7bCTgI0Dy6sPxX9C/keWiQjUId6sa7WHNdYhSfhr030
9hBEs7aqgeDFPmum+/+qSz9JzHbxrj5FMJDQlD8A07t0BkEJzQHv/5oI6Jzdm/pU
Mj1uUVVlhI+GyU86UY+0Lgu6eyYbr7BtGMtBoxkwcD/SrzxaN3DWChuaia+Z7tkd
YuK3EbfGI/O0go7wBBtBLZacW8phdAgHxYcUaI9JlpOMLXCqqVv0iW4cEnSifEvy
hwGE70lNMZnCGN+1yaZ547eQXXeBCPjtvFnVqxJ5ipafK1IJfQU+Boq6JPC4Wp4A
bOxC5vg9wTZr49PrtvcGY/+0/IGNxUVsbvqxpM+Lp8cN3kLNG1sxPjv34y1WUU/Z
B85ydHw/HM34GH6VJhRFN4DnDckdR5Z61uyVYGPUOCFN0ujUrN3mE5doQz1Ob3tR
gVDtmj6f59jHJjO6e5rXwbGK70JkjtHAWDn9ysoGGz/CvqXMAvNzwZgb2ALmL+EW
ylfwlse4zwqaShFKhai6R0buhTZVi25IwuPRotWKZf+Bd5kLqBgaSwTkULKBh5Dl
Wobbg6qBbD38NQEhkbLEJs4vMti9pl8aqN5UH4zpbgsZRn8Tx0j44TePjrGSVsLi
6aRRuqm1Oag=
=OQYb
-----END PGP SIGNATURE-----