Red Hat 8933 Published by

A Red Hat JBoss Enterprise Application Platform 7.4.10 security update has been released.



RHSA-2023:1516-01: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 security update



=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4.10 security update
Advisory ID: RHSA-2023:1516-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:1516
Issue date: 2023-03-29
CVE Names: CVE-2022-1471 CVE-2022-4492 CVE-2022-38752
CVE-2022-41853 CVE-2022-41854 CVE-2022-41881
CVE-2022-45787 CVE-2023-0482 CVE-2023-1108
=====================================================================

1. Summary:

A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.4.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.4.10 Release Notes for information about the most
significant bug fixes and enhancements included in this release.

Security Fix(es):

* SnakeYaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

* undertow: Server identity in https connection is not checked by the
undertow client (CVE-2022-4492)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
(CVE-2022-38752)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
(CVE-2022-41881)

* apache-james-mime4j: Temporary File Information Disclosure in MIME4J
TempFileStorageProvider (CVE-2022-45787)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode
2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS
2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close

5. JIRA issues fixed (  https://issues.jboss.org/):

JBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001
JBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001
JBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002
JBEAP-24220 - [GSS](7.4.z) Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001
JBEAP-24254 - JDK17, CLI script to update security doesn't apply to microprofile
JBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004
JBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1
JBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001
JBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final
JBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012
JBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001
JBEAP-24383 - [GSS](7.4.z) Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7
JBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final
JBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001
JBEAP-24395 - [GSS](7.4.z) Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final
JBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9
JBEAP-24535 - [GSS](7.4.z) UNDERTOW-2239 - Infinite loop in `SslConduit` during close on JDK 11
JBEAP-24574 - [PST](7.4.z) Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001
JBEAP-24588 - [GSS](7.4.z) RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9
JBEAP-24605 - [PST](7.4.z) Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2
JBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001

6. References:

  https://access.redhat.com/security/cve/CVE-2022-1471
  https://access.redhat.com/security/cve/CVE-2022-4492
  https://access.redhat.com/security/cve/CVE-2022-38752
  https://access.redhat.com/security/cve/CVE-2022-41853
  https://access.redhat.com/security/cve/CVE-2022-41854
  https://access.redhat.com/security/cve/CVE-2022-41881
  https://access.redhat.com/security/cve/CVE-2022-45787
  https://access.redhat.com/security/cve/CVE-2023-0482
  https://access.redhat.com/security/cve/CVE-2023-1108
  https://access.redhat.com/security/updates/classification/#important
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.4
  https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/
  https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.