-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2034
 Important: Red Hat JBoss Data Virtualization 6.3 Update 7 security update
                              16 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Data Virtualization
Publisher:         Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-7525 CVE-2017-5637 CVE-2015-3254

Reference:         ESB-2017.1867
                   ESB-2017.1866
                   ESB-2017.1863
                   ESB-2017.1398

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:2477

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Data Virtualization 6.3 Update 7 security update
Advisory ID:       RHSA-2017:2477-01
Product:           Red Hat JBoss Data Virtualization
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2477
Issue date:        2017-08-15
CVE Names:         CVE-2015-3254 CVE-2017-5637 CVE-2017-7525 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Data Virtualization.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems - such as multiple databases, XML
files, and even Hadoop systems - appear as a set of tables in a local
database.

This release of Red Hat JBoss Data Virtualization 6.3 Update 7 serves as a
replacement for Red Hat JBoss Data Virtualization 6.3 Update 6, and
includes bug fixes and enhancements, which are documented in the Release
Notes document linked to in the References.

Security Fix(es):

* A deserialization flaw was discovered in the jackson-databind which could
allow an unauthenticated user to perform code execution by sending the
maliciously crafted input to the readValue method of the ObjectMapper.
(CVE-2017-7525)

* A vulnerability was discovered in Apache Thrift client libraries that
allows remote, authenticated attackers to cause an infinite recursion via
vectors involving the skip function; resulting in a denial of service (DoS)
condition. (CVE-2015-3254)

* A denial of service vulnerability was discovered in ZooKeeper which
allows an attacker to dramatically increase CPU utilization by abusing
"wchp/wchc" commands, leading to the server being unable to serve
legitimate requests. (CVE-2017-5637)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting
CVE-2017-7525.

3. Solution:

Before applying the update, back up your existing Red Hat JBoss Data
Virtualization installation (including its databases, applications,
configuration files, and so on).

Note that it is recommended to halt the Red Hat JBoss Data Virtualization
server by stopping the JBoss Application Server process before installing
this update, and then after installing the update, restart the Red Hat
JBoss Data Virtualization server by starting the JBoss Application Server
process.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1454808 - CVE-2017-5637 zookeeper: Incorrect input validation with wchp/wchc four letter words
1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
1462783 - CVE-2015-3254 thrift: Infinite recursion via vectors involving the skip function

5. References:

https://access.redhat.com/security/cve/CVE-2015-3254
https://access.redhat.com/security/cve/CVE-2017-5637
https://access.redhat.com/security/cve/CVE-2017-7525
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.3.0

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZkw+VXlSAg2UNWIIRAjRPAKCQB3sAGC0r8CRA7UAwANIGLYbYOACglbUm
yNok32QMlwbMdl5AsafILjg=
=9Aix
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZOU2Yx+lLeg9Ub1AQgEOg//aKDg/77z785YL92oaVoh6fLB7/rKt3bQ
J1MdaQt/oRp93d7zjufqkz+eXF8TL+yyz6UCNOUZ8FI/TMvxexhsqAg4JZGakmSM
lcLZycV8R3bA2kWaZZpNEl3eniEWjSw9ox2XYx2hpBjZ/U3YxzScmcDbq5FKqyZo
fmhgFhlXnRfBZLaln6ja4Ty4jNtvvLF3PGFPnBl1IXCu53PcslISRVk1EoZp1qFJ
yFmm7eMTH5EeHXxvUZGgYsC0jr5HQ2CLIQq/96d5RXQ9gNN+qyhaLGCBu3dw8Wq0
5z1+SXZYgC11nD1svt97ucq9wSmS14ZCaHhhV5Q5FMBXvUxhJxUi1gEj19sdJXR1
pO3uoyKEU3qJC6d2PzLAWcvPmlf/PylW1ZCnVZmskISlxJ0eFWPYhaYDRsHZoVh2
W5HFNABdeMFd1zaScLs72/dMoY9B1bmnCxvqVxUHRvxDrZjWSHaKIBkiWEsqNl+U
5FXToqaqamYuKRLsH8dgeBRL5qfpQjEbM4R8T6LNESXR7oR/Bnfg2Jhqzv7ja/xj
F6o7nT5WJzObHb14PvAvIy39jn9A8DIZLiXpcTPvwj8C6wU05I6PHsHFrhyAcDWg
/UGQB3hJxJBAdB1UAmkjUXCn8dIuuBLZOfZc/vsfhMf5Qk8zaAGnjWAvuIRMpITb
s1zOW0f8HbI=
=JkTW
-----END PGP SIGNATURE-----