Headline
RHSA-2022:0438: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4 security update
An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-4104: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
- CVE-2022-23302: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
- CVE-2022-23305: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
- CVE-2022-23307: log4j: Unsafe deserialization flaw in Chainsaw log viewer
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2022-02-03
Updated:
2022-02-03
RHSA-2022:0438 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat JBoss Enterprise Application Platform 6.4 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.
This asynchronous patch is an update for JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5, 6, and 7. All users of Red Hat JBoss Enterprise Application Platform 6.4 are advised to upgrade to this updated package.
Security Fix(es):
- log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)
- log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
- log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)
- log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- JBoss Enterprise Application Platform 6.4 for RHEL 7 x86_64
- JBoss Enterprise Application Platform 6.4 for RHEL 7 ppc64
- JBoss Enterprise Application Platform 6.4 for RHEL 6 x86_64
- JBoss Enterprise Application Platform 6.4 for RHEL 6 ppc64
- JBoss Enterprise Application Platform 6.4 for RHEL 6 i386
- JBoss Enterprise Application Platform 6 for RHEL 7 x86_64
- JBoss Enterprise Application Platform 6 for RHEL 7 ppc64
- JBoss Enterprise Application Platform 6 for RHEL 6 x86_64
- JBoss Enterprise Application Platform 6 for RHEL 6 ppc64
- JBoss Enterprise Application Platform 6 for RHEL 6 i386
Fixes
- BZ - 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
- BZ - 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
- BZ - 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
- BZ - 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
CVEs
- CVE-2021-4104
- CVE-2022-23302
- CVE-2022-23305
- CVE-2022-23307
References
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/6.4/
JBoss Enterprise Application Platform 6.4 for RHEL 7
SRPM
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.src.rpm
SHA-256: 54c553bdd01517f268758d172dfd050d891535bc675a11463af1b8c5599a7687
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el7.src.rpm
SHA-256: 849affca8f79249236829fa5a37d2b23414db8a9890cfa6babe1b2268574f870
x86_64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.noarch.rpm
SHA-256: 04f9ba70cf8198ef65566fc4cc0430a685b7607c94cd8e598a6376f6cf5eef20
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch.rpm
SHA-256: babaed504f5a8c6aafef386578c3dddf3f46aae0e511a090e60f93687c272b71
ppc64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.noarch.rpm
SHA-256: 04f9ba70cf8198ef65566fc4cc0430a685b7607c94cd8e598a6376f6cf5eef20
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch.rpm
SHA-256: babaed504f5a8c6aafef386578c3dddf3f46aae0e511a090e60f93687c272b71
JBoss Enterprise Application Platform 6.4 for RHEL 6
SRPM
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.src.rpm
SHA-256: 40f4788e4b0b86c07daac276295f24c9308b118b92522899292ab46b3658c715
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.src.rpm
SHA-256: 6a2829f678feec037287018cc5be1e2786f17a414419d46636603d835c5e68f4
x86_64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.noarch.rpm
SHA-256: 9835f6fd7a72a36c6963ce0ce9fdf829e9d71b425f44ac4d3fe27bf40b8065d6
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch.rpm
SHA-256: eaf02ed754578c4a86bfc53cbd7862ceca3d5286a714c89fa37df1954fafe35e
ppc64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.noarch.rpm
SHA-256: 9835f6fd7a72a36c6963ce0ce9fdf829e9d71b425f44ac4d3fe27bf40b8065d6
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch.rpm
SHA-256: eaf02ed754578c4a86bfc53cbd7862ceca3d5286a714c89fa37df1954fafe35e
i386
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.noarch.rpm
SHA-256: 9835f6fd7a72a36c6963ce0ce9fdf829e9d71b425f44ac4d3fe27bf40b8065d6
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch.rpm
SHA-256: eaf02ed754578c4a86bfc53cbd7862ceca3d5286a714c89fa37df1954fafe35e
JBoss Enterprise Application Platform 6 for RHEL 7
SRPM
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.src.rpm
SHA-256: 54c553bdd01517f268758d172dfd050d891535bc675a11463af1b8c5599a7687
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el7.src.rpm
SHA-256: 849affca8f79249236829fa5a37d2b23414db8a9890cfa6babe1b2268574f870
x86_64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.noarch.rpm
SHA-256: 04f9ba70cf8198ef65566fc4cc0430a685b7607c94cd8e598a6376f6cf5eef20
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch.rpm
SHA-256: babaed504f5a8c6aafef386578c3dddf3f46aae0e511a090e60f93687c272b71
ppc64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.noarch.rpm
SHA-256: 04f9ba70cf8198ef65566fc4cc0430a685b7607c94cd8e598a6376f6cf5eef20
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el7.noarch.rpm
SHA-256: babaed504f5a8c6aafef386578c3dddf3f46aae0e511a090e60f93687c272b71
JBoss Enterprise Application Platform 6 for RHEL 6
SRPM
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.src.rpm
SHA-256: 40f4788e4b0b86c07daac276295f24c9308b118b92522899292ab46b3658c715
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.src.rpm
SHA-256: 6a2829f678feec037287018cc5be1e2786f17a414419d46636603d835c5e68f4
x86_64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.noarch.rpm
SHA-256: 9835f6fd7a72a36c6963ce0ce9fdf829e9d71b425f44ac4d3fe27bf40b8065d6
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch.rpm
SHA-256: eaf02ed754578c4a86bfc53cbd7862ceca3d5286a714c89fa37df1954fafe35e
ppc64
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.noarch.rpm
SHA-256: 9835f6fd7a72a36c6963ce0ce9fdf829e9d71b425f44ac4d3fe27bf40b8065d6
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch.rpm
SHA-256: eaf02ed754578c4a86bfc53cbd7862ceca3d5286a714c89fa37df1954fafe35e
i386
log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el6.noarch.rpm
SHA-256: 9835f6fd7a72a36c6963ce0ce9fdf829e9d71b425f44ac4d3fe27bf40b8065d6
log4j-jboss-logmanager-1.1.4-3.Final_redhat_00002.1.ep6.el6.noarch.rpm
SHA-256: eaf02ed754578c4a86bfc53cbd7862ceca3d5286a714c89fa37df1954fafe35e
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.