(RHSA-2018:0268) Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update

2018-02-05T15:25:35
ID RHSA-2018:0268
Type redhat
Reporter RedHat
Modified 2018-03-19T16:13:49

Description

Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.

This release of Red Hat JBoss Enterprise Application Platform 6.4.19 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.18, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • It was found that when Artemis and HornetQ are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError. (CVE-2017-12174)

  • A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12617)

  • A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10.Final-redhat-1, reads from an empty buffer. An attacker could use this flaw to cause denial of service via high CPU caused by an infinite loop. (CVE-2018-1041)

The CVE-2017-12174 issue was discovered by Masafumi Miura (Red Hat).