Headline

RHSA-2022:0436: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

CVE-2021-4104: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
CVE-2022-23302: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
CVE-2022-23305: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
CVE-2022-23307: log4j: Unsafe deserialization flaw in Chainsaw log viewer

3 years ago

Red Hat Security Data

Open in Source

#sql #vulnerability #web #linux #red_hat #nodejs #js #java #kubernetes

Skip to navigation Skip to main content

Utilities

Subscriptions
Downloads
Containers
Support Cases

Red Hat Customer Portal

Infrastructure and Management

Red Hat Enterprise Linux
Red Hat Virtualization
Red Hat Identity Management
Red Hat Directory Server
Red Hat Certificate System
Red Hat Satellite
Red Hat Subscription Management
Red Hat Update Infrastructure
Red Hat Insights
Red Hat Ansible Automation Platform

Cloud Computing

Red Hat OpenShift
Red Hat CloudForms
Red Hat OpenStack Platform
Red Hat OpenShift Container Platform
Red Hat OpenShift Data Science
Red Hat OpenShift Online
Red Hat OpenShift Dedicated
Red Hat Advanced Cluster Security for Kubernetes
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Quay
Red Hat CodeReady Workspaces
Red Hat OpenShift Service on AWS

Storage

Red Hat Gluster Storage
Red Hat Hyperconverged Infrastructure
Red Hat Ceph Storage
Red Hat OpenShift Data Foundation

Runtimes

Red Hat Runtimes
Red Hat JBoss Enterprise Application Platform
Red Hat Data Grid
Red Hat JBoss Web Server
Red Hat Single Sign On
Red Hat support for Spring Boot
Red Hat build of Node.js
Red Hat build of Thorntail
Red Hat build of Eclipse Vert.x
Red Hat build of OpenJDK
Red Hat build of Quarkus
Red Hat CodeReady Studio

Integration and Automation

Red Hat Process Automation
Red Hat Process Automation Manager
Red Hat Decision Manager

All Products

Issued:

2022-02-03

Updated:

2022-02-03

RHSA-2022:0436 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Enterprise Application Platform 7.4 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.

This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.

Security Fix(es):

log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

JBoss Enterprise Application Platform 7.4 for RHEL 8 x86_64
JBoss Enterprise Application Platform 7.4 for RHEL 7 x86_64

Fixes

BZ - 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
BZ - 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
BZ - 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
BZ - 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer

CVEs

CVE-2021-4104
CVE-2022-23302
CVE-2022-23305
CVE-2022-23307

References

https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

JBoss Enterprise Application Platform 7.4 for RHEL 8

SRPM

eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.el8eap.src.rpm

SHA-256: 1e9de99c509021239f20e9d26cbf177034effd1a828ef5e03c51f5277c609170

x86_64

eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.el8eap.noarch.rpm

SHA-256: 7df20d60644798c9477cc6c6cfe158cdae3a1b7e8c253e55131de4edb2890514

JBoss Enterprise Application Platform 7.4 for RHEL 7

SRPM

eap7-log4j-jboss-logmanager-1.2.2-1.Final_redhat_00002.1.el7eap.src.rpm

SHA-256: 19f66450be38ca780efed744752d75bdfe2ae752500c017eee3fe9b5b1a7f323

x86_64