-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3132
    Red Hat JBoss Operations Network 3.3.11 security and bug fix update
                              17 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Operations Network
Publisher:         Red Hat
Operating System:  Red Hat
                   Windows
                   Solaris
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12533 CVE-2018-8088 CVE-2018-1336
                   CVE-2017-17485 CVE-2017-15095 

Reference:         ESB-2018.3129
                   ESB-2018.2879

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2930

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Operations Network 3.3.11 security 
                   and bug fix update
Advisory ID:       RHSA-2018:2930-01
Product:           Red Hat JBoss Operations Network
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2930
Issue date:        2018-10-16
CVE Names:         CVE-2017-17485 CVE-2018-1336 CVE-2018-8088 
                   CVE-2018-12533 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Operations Network.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Operations Network is a Middleware management solution that
provides a single point of control to deploy, manage, and monitor JBoss
Enterprise Middleware, applications, and services.

This JBoss Operations Network 3.3.11 release serves as a replacement for
JBoss Operations Network 3.3.10, and includes several bug fixes. Refer to
the Customer Portal page linked in the References section for information
on the most significant of these changes.

Security Fix(es):

* RichFaces: Injection of arbitrary EL expressions allows remote code
execution via org.richfaces.renderkit.html.Paint2DResource (CVE-2018-12533)

* jackson-databind: Unsafe deserialization due to incomplete black list
(incomplete fix for CVE-2017-15095) (CVE-2017-17485)

* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)

* slf4j: Deserialisation vulnerability in EventData constructor can allow
for arbitrary code execution (CVE-2018-8088)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank 0c0c0f from 360????? for reporting
CVE-2017-17485 and Chris McCown for reporting CVE-2018-8088.

3. Solution:

Before applying this update, back up your existing JBoss Operations Network
installation (including its databases, applications, configuration files,
the JBoss Operations Network server's file system directory, and so on).

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1127359 - WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 54) JBAS010153: 
          Node identifier property is set to the default value
1418034 - Orphaned configuration still left in database
1517717 - JBoss ON storage nodes fail to form the cluster due to rpc_address set 
          to the hostname instead to the IP address as configured in the 
          rhq-server.properties file
1522728 - Attempt to execute disablePlugin, enablePlugin or deletePlugin methods 
          (PluginManager) fails due to method is not supplied
1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete 
          black list (incomplete fix for CVE-2017-15095)
1540527 - Exceptions in server and agent log after uninvetory of platform with 
          storage node
1540707 - rhq-agent-wrapper.sh is stuck on Solaris 11 SPARC
1542125 - JBoss ON user's roles do not match LDAP mapping if user is logged in 
          using REST API
1544424 - NPE - Error updating MeasurementSchedules for Agent
1545742 - Failure to collect measurement data for {RHQStorage}MessagingService in 
          additional storage node
1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData 
          constructor can allow for arbitrary code execution
1559622 - Add note to rhq-server.properties about URL format and values dependent 
          on database configuration
1575920 - When an alert template is applied to a message containing Russian 
          characters (which are properly shown in the JBoss ON UI), they will be 
          replaced in the received email with the "?" characters
1579733 - JBoss ON server unable to purge unused alert definitions due to the 
          transaction timeout 
1584490 - CVE-2018-12533 RichFaces: Injection of arbitrary EL expressions allows 
          remote code execution via org.richfaces.renderkit.html.Paint2DResource
1594305 - Failed to auto-calculate baselines due to TransientPropertyValueException: 
          object references an unsaved transient instance 
          org.rhq.core.domain.measurement.MeasurementSchedule.baseline -> 
          org.rhq.core.domain.measurement.MeasurementBaseline
1597947 - Failure to enable Alert:Email Server Plugin
1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2017-17485
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/cve/CVE-2018-8088
https://access.redhat.com/security/cve/CVE-2018-12533
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW8YagdzjgjWX9erEAQhp+A/5AbljwJ4cSVyiVSdjyS2WHgTlRxL43OEK
gSxZ0W6FDuOAlXRIkNknaWOrDW0tgPAXLwWAXJNVzd2m3Gtawoz3UFdAnCV3Y9FM
Cnl6yW0Ewmby6fIkO3C4RRs8ruG76gC8Zwh9CHlWLlf8FOElRd9j2hQ6vJXVMjDk
pp0wJeQG72BohTCLJQXZaEvUsLz5/9ln9c3jkdU1UVk0qbHefQ5I5QN0OI6pcLrS
RPIcT8dl0zKcjzQEZk7r9bCQHc2YOBabYwF8EsznQmyha2+xAzrSW4pTObCkUU7U
is4UkA87qluPoRwE4FkJ8FC52ThnCY4pD268AsUzpw8pn2kg51jdSxdY5s2O53BV
kZllxeDafHoX9tYrzDoAywTJJPXL85Od40X+UzxUGBHy732F817YOrjqbDoS09xa
Y2VcK2xl9Li7+Z1c5M6KDX+UBPGA+M42MEyxW6ubN6LmMau64/vOTI7MhjiEwxPM
3I5FpFxwT0jnT/TZJGx8kzUZ9cqTvHHqN5aPWoqh2KssXIskRZNzROuqGqWH6KBg
xodniq9vrC9ATT0cTv86Z52TV5NcjuSKBj2aqbIMhqVZty82lb2u/OmRlsH2WAUr
ndW5P+S0cr2XUZjZh2SS9FVYfKXc0gsBmt7+cTYNZ6U+kpMlX0YQ3vMYCExY5sUX
1R/d7rmXVmo=
=WdMi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW8a6vGaOgq3Tt24GAQjUgQ//fA9cHgbNau/P3Yt/ZjQf+Ap2jTwaCISD
N2l6bX1PICACO8QKYpvm7qhtzsoAcafy0lH4Lxe/Iu6exyMfPQ+/WpbFRzhH7Sgs
gp9ZMlNiwJ2Q4WK5ibaP458+xrRWeNVQdHsKwBHaXZlIOLM5zNd4d15T8sNcdXl4
9/txrBdxc0f1guf0MjHBmFKKHc4n3+DI6jN+Da22mjVgrxySF7gLVjGDCMMVuZkN
N3Wsi9C78XG2ydy3HeawYxVWrKQG6nY1nt4gpVaUiyODz2u7svmfdd0qYI5MXgV+
C1HMVrGEtaCLQiwzbaLYHP14REPil+NYMwCFcUIem7qbB5MSUfPHb2a8t3YrPT0w
9nWxzs8mHciOaNV10G9b8/lTlTGMTmraMYlvRfhjwLooL0R1LuDPrsJfVJAa6Qrj
lOnlSrWSDmV1rHI/xbM7gzU6r+v+FXydo3AjokWBzjzgZU6DVlVQFEGTJ1qOUgOY
R6ROFFlxxEWPGIkOtdnn/Xv9VpjreinvQ1SjyjhxwE3sZa+CYtqXFFxGm1GaiLPz
C3YBk3QXOK5Oenn2uKkDu/Ryvi/jBHX6ir46qZcP4TOWdNMjMu426keBlkzNZ834
q9Jw1KS5chIklYoOmMyr01JkeYFJpXKNGu674gnTotr8uQmkdTlrSBadgvkC3zol
s/kLMYxXyvQ=
=KBQa
-----END PGP SIGNATURE-----