logo
DATABASE RESOURCES PRICING ABOUT US

(RHSA-2017:1675) Moderate: Red Hat JBoss BPM Suite security update

Description

Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This release of Red Hat JBoss BPM Suite 6.4.4 serves as a replacement for Red Hat JBoss BPM Suite 6.4.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack. (CVE-2016-6346) * It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. (CVE-2016-9606) * It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. (CVE-2017-5929) Red Hat would like to thank Mikhail Egorov (Odin) for reporting CVE-2016-6346 and Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting CVE-2016-9606.


Related