(RHSA-2018:0294) Important: Red Hat JBoss Data Grid 7.1.2 security update

2018-02-12T22:18:53
ID RHSA-2018:0294
Type redhat
Reporter RedHat
Modified 2018-02-12T22:19:17

Description

Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.

This release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525)

  • It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089)

  • A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.