(RHSA-2017:0172) Moderate: Red Hat JBoss Enterprise Application Platform 7.0.4

Red Hat JBoss Enterprise Application Platform 7 is an application server that serves as a middleware platform and is built on open standards and compliant with the Java EE 7 specification.

This release of Red Hat JBoss Enterprise Application Platform 7.0.4 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.3, and includes bug fixes and enhancements, which are documented in the Release Notes, linked to in the References section.

Security Fix(es):

• An EAP feature to download server log files allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user’s browser to request the log files consuming enough resources that normal server functioning could be impaired. (CVE-2016-8627)

• It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. (CVE-2016-7061)

The CVE-2016-8627 issue was discovered by Darran Lofthouse and Brian Stansberry (Red Hat).