(RHSA-2017:1836) Important: Red Hat JBoss Enterprise Application Platform 7.0.7

2017-07-31T18:43:40
ID RHSA-2017:1836
Type redhat
Reporter RedHat
Modified 2017-07-31T18:44:18

Description

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.

This release of Red Hat JBoss Enterprise Application Platform 7.0.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • A deserialization flaw was discovered in jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)

  • It was found that use of a JMS ObjectMessage does not safely handle user-supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the JMS ObjectMessage. (CVE-2016-4978)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525.