You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa Red Hat JBoss BRMS

Sigurnosni nedostaci programskog paketa Red Hat JBoss BRMS

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LRH

Hash: SHA1

Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss BRMS 6.4.6 security update
Advisory ID: RHSA-2017:2888-01
Product: Red Hat JBoss BRMS
Advisory URL:
Issue date: 2017-10-12
CVE Names: CVE-2017-5645 CVE-2017-7957

1. Summary:

An update is now available for Red Hat JBoss BRMS.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.

This release of Red Hat JBoss BRMS 6.4.6 serves as a replacement for Red
Hat JBoss BRMS 6.4.5, and includes bug fixes and enhancements, which are
documented in the Release Notes document linked to in the References.

Security Fix(es):

* It was found that when using remote logging with log4j socket server the
log4j server would deserialize any log event received via TCP or UDP. An
attacker could use this flaw to send a specially crafted log event that,
during deserialization, would execute arbitrary code in the context of the
logger application. (CVE-2017-5645)

* It was found that XStream contains a vulnerability that allows a
maliciously crafted file to be parsed successfully which could cause an
application crash. The crash occurs if the file that is being fed into
XStream input stream contains an instances of the primitive type ‘void’. An
attacker could use this flaw to create a denial of service on the target
system. (CVE-2017-7957)

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (

1441538 – CVE-2017-7957 XStream: DoS when unmarshalling void type
1443635 – CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

5. References:

6. Contact:

The Red Hat security contact is <>. More contact
details at

Copyright 2017 Red Hat, Inc.
Version: GnuPG v1


RHSA-announce mailing list

AutorDanijel Kozinovic
Cert idNCERT-REF-2017-10-0100-ADV
More in Preporuke
Sigurnosni nedostatak programske biblioteke libffi

Otkriven je sigurnosni nedostatak u programskoj biblioteci libffi za operacijski sustav Ubuntu 14.04 LTS. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje...