Home / mailingsPDF  

[RHSA-2020:2563-01] Important: EAP Continuous Delivery Technical Preview Release 14 security update

Posted on 15 June 2020
RedHat

===================================================================== Red Hat Security Advisory

Synopsis: Important: EAP Continuous Delivery Technical Preview Release 14 security update
Advisory ID: RHSA-2020:2563-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2563
Issue date: 2020-06-15
CVE Names: CVE-2017-7465 CVE-2017-7503
=====================================================================
1. Summary:

This is a security update for JBoss EAP Continuous Delivery 14.0.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform CD14 is a platform for Java
applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform CD14 includes
bug fixes and enhancements.

Security Fix(es):

* XML Frameworks: JBoss: JAXP in EAP 7.0 allows RCE via XSL (CVE-2017-7465)

* XML Frameworks: TransformerFactory in JBoss EAP 7 is vulnerable to XXE
(CVE-2017-7503)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

You must restart the JBoss server process for the update to take effect.

The References section of this erratum contains a download link (you must
log in to download the update)

4. Bugs fixed (https://bugzilla.redhat.com/):

1439980 - CVE-2017-7465 JBoss: JAXP in EAP 7.0 allows RCE via XSL
1451960 - CVE-2017-7503 EAP: XXE issue in TransformerFactory

5. References:

https://access.redhat.com/security/cve/CVE-2017-7465
https://access.redhat.com/security/cve/CVE-2017-7503
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=eap-cd&version=14

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.

 

TOP

Mailings :

Exploits :