Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2641
Important: Red Hat JBoss BPM Suite 6.4.12 security update
17 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss BPM Suite 6.4.12
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-19362 CVE-2018-19361 CVE-2018-19360
CVE-2018-14719 CVE-2018-14718 CVE-2018-12023
CVE-2018-12022 CVE-2017-17485 CVE-2017-15095
Reference: ESB-2019.2630
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:1797
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss BPM Suite 6.4.12 security update
Advisory ID: RHSA-2019:1797-01
Product: Red Hat Process Automation Manager
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1797
Issue date: 2019-07-16
CVE Names: CVE-2017-17485 CVE-2018-12022 CVE-2018-12023
CVE-2018-14718 CVE-2018-14719 CVE-2018-19360
CVE-2018-19361 CVE-2018-19362
=====================================================================
1. Summary:
An update is now available for Red Hat JBoss BPM Suite.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.4.12 serves as a replacement for
Red Hat JBoss BPM Suite 6.4.11, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.
Security Fix(es):
* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)
* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in
jboss-common-core (CVE-2018-19362)
* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization of types from
Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from
Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-15095) (CVE-2017-17485)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
It is recommended to halt the server by stopping the JBoss Application
Server process before installing this update; after installing the update,
restart the server by starting the JBoss Application Server process.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
5. References:
https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2018-12022
https://access.redhat.com/security/cve/CVE-2018-12023
https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhpam&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/6.4/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXS35rtzjgjWX9erEAQgvjhAAp+5Q4mWxjM69OaVgjG70qBoGcV1Dl+k2
U8HrlkS+WXB9/52LxlZUgKeTB8oyR48J6P4VJ7nYvPmGwgiWIUq3z1chPSVFdfXQ
vbKQ35Ho3QsD1T+POsU8CiVIVkm172ATXlmMbO6QWHjhMLE4PrG3u6QPJs2N0KCy
xSNfEVw39xb7wfwORSGeY5cklsXRCSsW74yce7rjojX8FxlNypc9+vYaOi13AkBJ
mIjqDy7bKKXxEgIagPYNQWOvllzFY+zgtsHuMqGVLYIPuV+BXAyM6dIUk53DyDPE
Dhan9ZWZcp2aHMt4kKfpnmqY7+JdY2wXOEFOtxi9HrKL9Q1s88O1tRt5Trvf26nt
Ly9W6LGWr2rhtRaxozUfHLP26OGCdwqDbLa4BEAj3xvaLWZsFcMMlKDhDLM6y/Bl
CMk4bOxutpMO0d/wWOC3iLQKnqZuh2j/8Q2vPhEfQDu0Ph9D9ceUQGMik/JaYYvM
tpW83kjJmP6UoU6X2as8XbrA37ExqrZoKUoX14lf9ftZLgPIrmsRhWpgbWtt/Ef/
de72LKGFbJBRR9wTCv9bFe9wUeI7RHsWcTqGVrZQ7srqCdLQQpkoG2REKMGoRtuB
rW8wWW2HzAK/4XnSweg7/1aTKy3yN/kixEBynFbZAW3p2TkVBzmSvdSUwCVkWZhV
GJV2g8cgeEw=
=T9v8
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXS5k/2aOgq3Tt24GAQiYgA/8C22fwZgIlwdYqSw+QkDTBRV5V9iJhFPp
aWWAH6E009b8mCFrdH8vaMKXA1oEXpjmoGh0LZ0TTrwZ+cBb1QXRrsJzWoO2JZlk
XAw+z6YbxAzreLw/eKkHSgYmxiozc4nqVl0YLuu1dZAaazTGkvU9OKSjTIQN9gGR
x6RPVpOrwyjAOJmLaH5azVyy+u9L90rDkR5HYO/+jCKKvHomGqdyUafve5QBGJjB
1pGxvL4ru8sMZscH1VR8HHdDsDtbRARGfZ8G7kYnZwNa3LSCnpuKMXeLEBWLnjYI
2ImFLaFZzZKBAOBSB5wPxDjQ3NBl4rxeCqsDNzxNdYW9tymtp4B2/Grm7FBKgZq9
9asS/eTeURqg0npXDaqOM0KjLb05isZKUTaZe2AbuirCQ+Qt1BNuHS/6wXNSB9Zr
Wa64XkwBk8XVz/OQWDVuPnu1P1x6G/s2U+TusvdjA7tjimUZWE+LAA1rsm0xzrSR
06FYYm0/ai0qMiqJ35hqApivhTydtCIUFmCtis3Oc+n7tM9deCuZHCwE43o7AFiL
37uBHqPVzzy4o+BDkY6S5+ELfmE+GHkhiiUnmGXjz/FPcomvXXzmo2ysOYUAgvNf
clvFNDHgPYLwp4G5VnhldRNuIs2vh0MuniWA0kTsD7gbVvOsoqdphyDjGEJnK1c8
Mc7MNRLpgyw=
=Jme9
-----END PGP SIGNATURE-----