Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2943 Important: Red Hat JBoss Data Grid 7.1.1 security update 17 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Data Grid Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12629 CVE-2017-5645 CVE-2016-0750 Reference: ESB-2017.2580 ESB-2017.2438 ESB-2017.1829 ESB-2017.1442 Original Bulletin: https://access.redhat.com/errata/RHSA-2017:3244 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Data Grid 7.1.1 security update Advisory ID: RHSA-2017:3244-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2017:3244 Issue date: 2017-11-16 CVE Names: CVE-2016-0750 CVE-2017-5645 CVE-2017-12629 ===================================================================== 1. Summary: Red Hat JBoss Data Grid 7.1.1 is now available for download from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 7.1.1 serves as a replacement for Red Hat JBoss Data Grid 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix(es): * It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API. (CVE-2017-12629) * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * The hotrod java client in infinispan automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. (CVE-2016-0750) For more information regarding CVE-2017-12629, see the article linked in the references section. Red Hat would like to thank Sebastian Olsson (TrueSec) for reporting CVE-2016-0750. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, and so on). 4. Bugs fixed (https://bugzilla.redhat.com/): 1300443 - CVE-2016-0750 hotrod client: unchecked deserialization in marshaller util 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1501529 - CVE-2017-12629 Solr: Code execution via entity expansion 5. References: https://access.redhat.com/security/cve/CVE-2016-0750 https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/cve/CVE-2017-12629 https://access.redhat.com/security/vulnerabilities/CVE-2017-12629 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.1 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaDexmXlSAg2UNWIIRAhoOAKCQNZO73b4cdN8EIKNv+ON1SwomPACfSCDR XYLivDMeuJC1UEgHLdZy+DE= =ut90 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWg5PIIx+lLeg9Ub1AQiklRAApf3XDqRjerRjSMnbiBIxx8KiDkRRxDII 3SN0QY3iaxqASUt7QEphm/KzN+YsPHPZUjwL77kbUcmzh66Rbmfejrabnnv7wSOO yUTm6M5Dutiu9czZ8YzNxOuaGeB6aoMF0Ic4TJOE2/DWiio1VWIjFveh35sTFvjx /m+Cy/YidfebZGg5xc3S8pHpxQ+kXUikgd0an5S0CxkGF3LMwdjzymbzdVrZvfwq kbxPLKc/EGjQmRC3LSLSrF0lh5qVmWwnA486q7YG8wFWtSViWuY2+gBgES8psBM/ kAfAZDr/L5iLpWbZe2xue5XpbjbTjyseTY20rWo2dziq4vDBcaiu7346aKn01ebg XEP8/VvHtNLm+e9b5XkBuhIvXgsRTSLhMcC7PZzsE12iTdTP9ZFqjFS5GThtffeh U6G1LBe1knms6hmRZ7yhL3RQTy8AHodpa7mQfB+HPHuugwP5ucJdy8IZq8juwtdD HTMPl8LM6nPObYF8OxYU2OLZlOnV0bTvM4TVFDo4irvlPF24H19f99ojYSH2tH+T lCep6yUKCj71mUJK9MAU4SHgwFgsZ1rsXk0FepzVqEXn0jBcaT2R4Cj8of0/xbF1 COwh3NZS5Xr0BjdgcPUVJbweo6yzV/8pdDTtJ9BtYZmQliADLGPIahelY0+JUEYZ 2WlUB2TIOKs= =Twdc -----END PGP SIGNATURE-----