(RHSA-2017:0171) Moderate: JBoss Enterprise Application Platform 7.0.4 for RHEL 7

2017-01-18T23:38:06
ID RHSA-2017:0171
Type redhat
Reporter RedHat
Modified 2018-03-19T16:13:55

Description

This release of Red Hat JBoss Enterprise Application Platform 7.0.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.3, and includes bug fixes and enhancements, which are documented in the Release Notes, linked to in the References section.

Security Fix(es):

  • An EAP feature to download server log files allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired. (CVE-2016-8627)

  • It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. (CVE-2016-7061)

The CVE-2016-8627 issue was discovered by Darran Lofthouse and Brian Stansberry (Red Hat).