—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Data Virtualization 6.4.8 security update
Advisory ID: RHSA-2019:3140-01
Product: Red Hat JBoss Data Virtualization
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3140
Issue date: 2019-10-17
CVE Names: CVE-2016-5397 CVE-2018-1335 CVE-2018-8088
CVE-2018-11307 CVE-2018-11798 CVE-2018-12022
CVE-2018-12023 CVE-2018-14718 CVE-2018-14719
CVE-2018-19360 CVE-2018-19361 CVE-2018-19362
CVE-2019-0201
=====================================================================
1. Summary:
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Data Virtualization is a lean data integration solution that
provides easy, real-time, and unified data access across disparate sources
to multiple applications and users. JBoss Data Virtualization makes data
spread across physically distinct systems – such as multiple databases, XML
files, and even Hadoop systems – appear as a set of tables in a local
database.
This release of Red Hat JBoss Data Virtualization 6.4.8 serves as a
replacement for Red Hat JBoss Data Virtualization 6.4.7, and includes bug
fixes and enhancements, which are documented in the Release Notes document
linked to in the References.
Security Fix(es):
* thrift: Improper file path sanitization in
t_go_generator.cc:format_go_output() of the go client library can allow an
attacker to inject commands (CVE-2016-5397)
* tika-core: tika: Command injection in tika-server can allow remote
attackers to execute arbitrary commands via crafted headers (CVE-2018-1335)
* slf4j: Deserialisation vulnerability in EventData constructor can allow
for arbitrary code execution (CVE-2018-8088)
* jackson-databind: Potential information exfiltration with default typing,
serialization gadget from MyBatis (CVE-2018-11307)
* libthrift: thrift: Improper Access Control grants access to files outside
the webservers docroot path (CVE-2018-11798)
* jackson-databind: improper polymorphic deserialization of types from
Jodd-db library (CVE-2018-12022)
* jackson-databind: improper polymorphic deserialization of types from
Oracle JDBC driver (CVE-2018-12023)
* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in
jboss-common-core class (CVE-2018-19362)
* zookeeper: Information disclosure in Apache ZooKeeper (CVE-2019-0201)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1544620 – CVE-2016-5397 thrift: Improper file path sanitization in t_go_generator.cc:format_go_output() of the go client library can allow an attacker to inject commands
1548909 – CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
1572416 – CVE-2018-1335 tika: Command injection in tika-server can allow remote attackers to execute arbitrary commands via crafted headers
1666415 – CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
1666418 – CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
1666482 – CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
1666484 – CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
1666489 – CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
1667188 – CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path
1671096 – CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
1671097 – CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
1677341 – CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
1715197 – CVE-2019-0201 zookeeper: Information disclosure in Apache ZooKeeper
5. References:
https://access.redhat.com/security/cve/CVE-2016-5397
https://access.redhat.com/security/cve/CVE-2018-1335
https://access.redhat.com/security/cve/CVE-2018-8088
https://access.redhat.com/security/cve/CVE-2018-11307
https://access.redhat.com/security/cve/CVE-2018-11798
https://access.redhat.com/security/cve/CVE-2018-12022
https://access.redhat.com/security/cve/CVE-2018-12023
https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/cve/CVE-2019-0201
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.4
https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBXaiAz9zjgjWX9erEAQgAXxAAlmR+/vjSvP15vDwv0W9mWse8ILnbSP1F
hP6WSE2CJPW8jrFQY+1oemTW2dlBs/mK78nQCvV5tCEwKJOAVVWOik23EP4Ft9PV
aZPRyo73tp5tPSHvE2jfDDoBOul4tt0rUZ1je+x3x5c/wTL4ORzduy+Ij9vNy59a
/9qfZaKltdJis8mRyq6tpRUTLU5+qm0wP7XiwT4xFUyVZC1uCYM/lKLqCHmK11ev
tfYUOFtcRn0YBpb6iu8MF8x0KY2RYj7W/b2HzcdZuPTAMg7ozThDzttj8AkMLToS
BNRlKRLitkJX7XcfgB4XQw6dhPPt3FhQl6noqPKNmp8ojV5Ajt+IQzM+9+dVB9sH
DbFC3D3vaLJGyVRqggzy/a4TMRw1KRcx4PF6+VnB5A4LgRSu2s5JzmL5D3n9lDXq
SCP8eR6FFh0AQu6DTcnEsX7jTMGpBQpwXhj8dOEZdK+g4XZLbdRMqGeMx8lARXgf
AOH8ETI2ynqio4gDX7Oc/vt+1RxXvkIABt1Tlarqo3mDy7bDKOHeveUUpc6OIz3Z
HFoFr0OSqn/h7kb1dyYRuqgMfru2AfNRsGXPBRw7djdSR1jM3im+qql1W9M8MTCl
CrT0I3gA/AGgVcZ1b+3tL4EfnL30mFhf4BfnxRz9Q8RNIlKX9rDLuA7o+mhjcyJs
PBmZdOJqS8M=
=GmQ6
—–END PGP SIGNATURE—–
—
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce