Nacionalni CERT

Sigurnosni nedostaci programskog paketa Red Hat JBoss BPM Suite

<p>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br />=====================================================================<br /> Red Hat Security Advisory<br /><br />Synopsis: Important: Red Hat JBoss BPM Suite 6.4.6 security update<br />Advisory ID: RHSA-2017:2889-01<br />Product: Red Hat JBoss BPM Suite<br />Advisory URL: https://access.redhat.com/errata/RHSA-2017:2889<br />Issue date: 2017-10-12<br />CVE Names: CVE-2017-5645 CVE-2017-7957 <br />=====================================================================<br /><br />1. Summary:<br /><br />An update is now available for Red Hat JBoss BPM Suite.<br /><br />Red Hat Product Security has rated this update as having a security impact<br />of Important. A Common Vulnerability Scoring System (CVSS) base score,<br />which gives a detailed severity rating, is available for each vulnerability<br />from the CVE link(s) in the References section.<br /><br />2. Description:<br /><br />Red Hat JBoss BPM Suite is a business rules and processes management system<br />for the management, storage, creation, modification, and deployment of<br />JBoss rules and BPMN2-compliant business processes.<br /><br />This release of Red Hat JBoss BPM Suite 6.4.6 serves as a replacement for<br />Red Hat JBoss BPM Suite 6.4.5, and includes bug fixes and enhancements,<br />which are documented in the Release Notes document linked to in the<br />References.<br /><br />Security Fix(es):<br /><br />* It was found that when using remote logging with log4j socket server the<br />log4j server would deserialize any log event received via TCP or UDP. An<br />attacker could use this flaw to send a specially crafted log event that,<br />during deserialization, would execute arbitrary code in the context of the<br />logger application. (CVE-2017-5645)<br /><br />* It was found that XStream contains a vulnerability that allows a<br />maliciously crafted file to be parsed successfully which could cause an<br />application crash. The crash occurs if the file that is being fed into<br />XStream input stream contains an instances of the primitive type 'void'. An<br />attacker could use this flaw to create a denial of service on the target<br />system. (CVE-2017-7957)<br /><br />3. Solution:<br /><br />Before applying the update, back up your existing installation, including<br />all applications, configuration files, databases and database settings, and<br />so on.<br /><br />It is recommended to halt the server by stopping the JBoss Application<br />Server process before installing this update; after installing the update,<br />restart the server by starting the JBoss Application Server process.<br /><br />The References section of this erratum contains a download link (you must<br />log in to download the update).<br /><br />4. Bugs fixed (https://bugzilla.redhat.com/):<br /><br />1441538 - CVE-2017-7957 XStream: DoS when unmarshalling void type<br />1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability<br /><br />5. References:<br /><br />https://access.redhat.com/security/cve/CVE-2017-5645<br />https://access.redhat.com/security/cve/CVE-2017-7957<br />https://access.redhat.com/security/updates/classification/#important<br />https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?prod... />https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/<br /><br />6. Contact:<br /><br />The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact<br />details at https://access.redhat.com/security/team/contact/<br /><br />Copyright 2017 Red Hat, Inc.<br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1<br /><br />iD8DBQFZ3+YiXlSAg2UNWIIRApkVAJ94hyturYv4p01us5mQ+OobGQYEswCfcbjO<br />QgfbMB3/sUo6+bnE6qqd+x8=<br />=uuKL<br />-----END PGP SIGNATURE-----<br /><br />--<br />RHSA-announce mailing list<br />RHSA-announce@redhat.com<br />https://www.redhat.com/mailman/listinfo/rhsa-announce</p>
Otkriveni su sigurnosni nedostaci u programskom paketu Red Hat JBoss BPM Suite. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog koda ili izvođenje napada uskraćivanja usluge. Savjetuje se ažuriranje izdanim zakrpama.