- Issued:
- 2018-10-16
- Updated:
- 2018-10-16
RHSA-2018:2930 - Important: Red Hat JBoss Operations Network 3.3.11 security and bug fix update
Synopsis
Important: Red Hat JBoss Operations Network 3.3.11 security and bug fix update
Type/Severity
Security Advisory Important
Topic
An update is now available for Red Hat JBoss Operations Network.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services.
This JBoss Operations Network 3.3.11 release serves as a replacement for JBoss Operations Network 3.3.10, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes.
Security Fix(es):
-
RichFaces: Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource (CVE-2018-12533)
-
jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095) (CVE-2017-17485)
-
tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)
-
slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank 0c0c0f from 360观星实验室 for reporting CVE-2017-17485 and Chris McCown for reporting CVE-2018-8088.
Solution
Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on).
The References section of this erratum contains a download link (you must log in to download the update).
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat JBoss Middleware | Text-Only Advisories | x86_64 |
Fixes
- This content is not included.BZ - 1127359
- This content is not included.BZ - 1418034
- This content is not included.BZ - 1517717
- This content is not included.BZ - 1522728
- This content is not included.BZ - 1528565
- This content is not included.BZ - 1540527
- This content is not included.BZ - 1540707
- This content is not included.BZ - 1542125
- This content is not included.BZ - 1544424
- This content is not included.BZ - 1545742
- This content is not included.BZ - 1548909
- This content is not included.BZ - 1559622
- This content is not included.BZ - 1575920
- This content is not included.BZ - 1579733
- This content is not included.BZ - 1584490
- This content is not included.BZ - 1594305
- This content is not included.BZ - 1597947
- This content is not included.BZ - 1607591
CVEs
References
- https://access.redhat.com/security/updates/classification/#important
- This content is not included.This content is not included.https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.