Nacionalni CERT

Sigurnosni nedostaci programskog paketa Red Hat JBoss BRMS

<p>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br />=====================================================================<br /> Red Hat Security Advisory<br /><br />Synopsis: Important: Red Hat JBoss BRMS 6.4.6 security update<br />Advisory ID: RHSA-2017:2888-01<br />Product: Red Hat JBoss BRMS<br />Advisory URL: https://access.redhat.com/errata/RHSA-2017:2888<br />Issue date: 2017-10-12<br />CVE Names: CVE-2017-5645 CVE-2017-7957 <br />=====================================================================<br /><br />1. Summary:<br /><br />An update is now available for Red Hat JBoss BRMS.<br /><br />Red Hat Product Security has rated this update as having a security impact<br />of Important. A Common Vulnerability Scoring System (CVSS) base score,<br />which gives a detailed severity rating, is available for each vulnerability<br />from the CVE link(s) in the References section.<br /><br />2. Description:<br /><br />Red Hat JBoss BRMS is a business rules management system for the<br />management, storage, creation, modification, and deployment of JBoss Rules.<br /><br />This release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red<br />Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are<br />documented in the Release Notes document linked to in the References.<br /><br />Security Fix(es):<br /><br />* It was found that when using remote logging with log4j socket server the<br />log4j server would deserialize any log event received via TCP or UDP. An<br />attacker could use this flaw to send a specially crafted log event that,<br />during deserialization, would execute arbitrary code in the context of the<br />logger application. (CVE-2017-5645)<br /><br />* It was found that XStream contains a vulnerability that allows a<br />maliciously crafted file to be parsed successfully which could cause an<br />application crash. The crash occurs if the file that is being fed into<br />XStream input stream contains an instances of the primitive type 'void'. An<br />attacker could use this flaw to create a denial of service on the target<br />system. (CVE-2017-7957)<br /><br />3. Solution:<br /><br />Before applying the update, back up your existing installation, including<br />all applications, configuration files, databases and database settings, and<br />so on.<br /><br />It is recommended to halt the server by stopping the JBoss Application<br />Server process before installing this update; after installing the update,<br />restart the server by starting the JBoss Application Server process.<br /><br />The References section of this erratum contains a download link (you must<br />log in to download the update).<br /><br />4. Bugs fixed (https://bugzilla.redhat.com/):<br /><br />1441538 - CVE-2017-7957 XStream: DoS when unmarshalling void type<br />1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability<br /><br />5. References:<br /><br />https://access.redhat.com/security/cve/CVE-2017-5645<br />https://access.redhat.com/security/cve/CVE-2017-7957<br />https://access.redhat.com/security/updates/classification/#important<br />https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?prod... />https://access.redhat.com/documentation/en/red-hat-jboss-brms/<br /><br />6. Contact:<br /><br />The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact<br />details at https://access.redhat.com/security/team/contact/<br /><br />Copyright 2017 Red Hat, Inc.<br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1<br /><br />iD8DBQFZ3+XmXlSAg2UNWIIRAhnZAJ904MMtdyV9D665eh+Y/2I0cMAbUQCeNoD7<br />CiB9NXrVMINnroXTjgZJW5c=<br />=jkNz<br />-----END PGP SIGNATURE-----<br /><br />--<br />RHSA-announce mailing list<br />RHSA-announce@redhat.com<br />https://www.redhat.com/mailman/listinfo/rhsa-announce</p>
Otkriveni su sigurnosni nedostaci u programskom paketu Red Hat JBoss BRMS. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog koda ili izvođenje napada uskraćivanja usluge. Savjetuje se ažuriranje izdanim zakrpama.