Lucene search

K
redhatRedHatRHSA-2019:1797
HistoryJul 16, 2019 - 4:19 p.m.

(RHSA-2019:1797) Important: Red Hat JBoss BPM Suite 6.4.12 security update

2019-07-1616:19:53
access.redhat.com
105
red hat jboss bpm suite
business rules management
jboss rules
bpmn2-compliant
security update
jackson-databind
cve-2018-14718
cve-2018-19361
cve-2018-19360
cve-2018-19362
cve-2018-14719
cve-2018-12022
oracle jdbc driver
cve-2017-17485

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.14

Percentile

95.8%

Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes.

This release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

  • jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

  • jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

  • jackson-databind: improper polymorphic deserialization in jboss-common-core (CVE-2018-19362)

  • jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

  • jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

  • jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

  • jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.14

Percentile

95.8%