RHEL 6 / 7 : eap7-jboss-ec2-eap (RHSA-2017:1837)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update for eap7-jboss-ec2-eap is now available for Red Hat JBoss
Enterprise Application Platform 7.0 for RHEL 6 and Red Hat JBoss
Enterprise Application Platform 7.0 for RHEL 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss
Enterprise Application Platform running on the Amazon Web Services
(AWS) Elastic Compute Cloud (EC2).

With this update, the eap7-jboss-ec2-eap package has been updated to
ensure compatibility with Red Hat JBoss Enterprise Application
Platform 7.0.7.

Refer to the JBoss Enterprise Application Platform 7.0.7 Release
Notes, linked to in the References section, for information on the
most significant bug fixes and enhancements included in this release.

Security Fix(es) :

* A deserialization flaw was discovered in jackson-databind which
could allow an unauthenticated user to perform code execution by
sending maliciously crafted input to the readValue method of the
ObjectMapper. (CVE-2017-7525)

* It was found that use of a JMS ObjectMessage does not safely handle
user-supplied data when deserializing objects. A remote attacker could
use this flaw to execute arbitrary code with the permissions of the
application using the JMS ObjectMessage. (CVE-2016-4978)

Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting

See also :


Solution :

Update the affected eap7-jboss-ec2-eap and / or
eap7-jboss-ec2-eap-samples packages.

Risk factor :

Medium / CVSS Base Score : 6.0
CVSS Temporal Score : 4.8
Public Exploit Available : false

Family: Red Hat Local Security Checks

Nessus Plugin ID: 102141 ()

Bugtraq ID:

CVE ID: CVE-2016-4978

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now