Nacionalni CERT

Sigurnosni nedostaci programskog paketa JBoss Data Grid

<p>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br />=====================================================================<br /> Red Hat Security Advisory<br /><br />Synopsis: Important: Red Hat JBoss Data Grid 7.1.2 security update<br />Advisory ID: RHSA-2018:0294-01<br />Product: Red Hat JBoss Data Grid<br />Advisory URL: https://access.redhat.com/errata/RHSA-2018:0294<br />Issue date: 2018-02-12<br />CVE Names: CVE-2014-9970 CVE-2017-7525 CVE-2017-15089 <br />=====================================================================<br /><br />1. Summary:<br /><br />Red Hat JBoss Data Grid 7.1.2 is now available for download from the<br />Customer Portal.<br /><br />Red Hat Product Security has rated this update as having a security impact<br />of Important. A Common Vulnerability Scoring System (CVSS) base score,<br />which gives a detailed severity rating, is available for each vulnerability<br />from the CVE link(s) in the References section.<br /><br />2. Description:<br /><br />Red Hat JBoss Data Grid is a distributed in-memory data grid, based on<br />Infinispan.<br /><br />This release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for<br />Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements,<br />which are documented in the Release Notes document linked to in the<br />References.<br /><br />Security Fix(es):<br /><br />* A deserialization flaw was discovered in the jackson-databind which could<br />allow an unauthenticated user to perform code execution by sending the<br />maliciously crafted input to the readValue method of the ObjectMapper.<br />(CVE-2017-7525)<br /><br />* It was found that the Hotrod client in Infinispan would unsafely read<br />deserialized data on information from the cache. An authenticated attacker<br />could inject a malicious object into the data cache and attain<br />deserialization on the client, and possibly conduct further attacks.<br />(CVE-2017-15089)<br /><br />* A vulnerability was found in Jasypt that would allow an attacker to<br />perform a timing attack on password hash comparison. (CVE-2014-9970)<br /><br />Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting<br />CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting<br />CVE-2017-15089.<br /><br />3. Solution:<br /><br />The References section of this erratum contains a download link (you must<br />log in to download the update).<br /><br />Before applying the update, back up your existing Red Hat JBoss Data Grid<br />installation (including databases, configuration files, and so on).<br /><br />4. Bugs fixed (https://bugzilla.redhat.com/):<br /><br />1455566 - CVE-2014-9970 jasypt: Vulnerable to timing attack against the password hash comparison<br />1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper<br />1503610 - CVE-2017-15089 infinispan: Unsafe deserialization of malicious object injected into data cache<br /><br />5. References:<br /><br />https://access.redhat.com/security/cve/CVE-2014-9970<br />https://access.redhat.com/security/cve/CVE-2017-7525<br />https://access.redhat.com/security/cve/CVE-2017-15089<br />https://access.redhat.com/security/updates/classification/#important<br />https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?prod... />https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/<br /><br />6. Contact:<br /><br />The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact<br />details at https://access.redhat.com/security/team/contact/<br /><br />Copyright 2018 Red Hat, Inc.<br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1<br /><br />iD8DBQFagczfXlSAg2UNWIIRAiklAJoDbQxOZQQ7D8FZm+n+Ayrl0g6INACeKGdS<br />fRb6lZsQRwthr1F5mPiaZP8=<br />=1wIu<br />-----END PGP SIGNATURE-----<br /><br />--<br />RHSA-announce mailing list<br />RHSA-announce@redhat.com<br />https://www.redhat.com/mailman/listinfo/rhsa-announce</p>
Otkriveni su sigurnosni nedostaci u programskom paketu JBoss Data Grid za operacijski sustav Red Hat. Otkriveni nedostaci potencijalnim napadačima omogućuju izvršavanje proizvoljnog programskog koda ili otkrivanje osjetljivih informacija. Savjetuje se ažuriranje izdanim zakrpama.