Security Advisory Moderate: jboss-ec2-eap security, bug fix, and enhancement update

Advisory: RHSA-2017:1260-1
Type: Security Advisory
Severity: Moderate
Issued on: 2017-05-18
Last updated on: 2017-05-18
Affected Products: JBoss Enterprise Application Platform 6 EL6
CVEs (cve.mitre.org): CVE-2016-9606

Details

An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise
Application Platform 6.4 for RHEL 6.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise
Application Platform running on the Amazon Web Services (AWS) Elastic Compute
Cloud (EC2).

With this update, the jboss-ec2-eap package has been updated to ensure
compatibility with Red Hat JBoss Enterprise Application Platform 6.4.15.

Security Fix(es):

* It was discovered that under certain conditions RESTEasy could be forced to
parse a request with YamlProvider, resulting in unmarshalling of potentially
untrusted data. An attacker could possibly use this flaw execute arbitrary code
with the permissions of the application using RESTEasy. (CVE-2016-9606)

Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting
these issues.


Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

Updated packages

JBoss Enterprise Application Platform 6 EL6

SRPMS:
jboss-ec2-eap-7.5.15-3.Final_redhat_3.ep6.el6.src.rpm
File outdated by:  RHSA-2017:1552
    MD5: 16b13391ddd1630a4bc7057df1a81492
SHA-256: cdc9e4d8e295937e0a5d69821199905d264aacd5f80c42cf23e282f4f6a217ea
 
IA-32:
jboss-ec2-eap-7.5.15-3.Final_redhat_3.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1552
    MD5: ce691a68e7b094fb41f3ec53aee0f2e4
SHA-256: e3d802ac6bf0953c84cccce78b06f5b157294620aac056826170a445b533dd2e
jboss-ec2-eap-samples-7.5.15-3.Final_redhat_3.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1552
    MD5: aabd7743a20f8950687793be542dbaaf
SHA-256: e9833c50b75e0c2b79daf39b59f1533bff12e0039eca0e2fcc6f3ffc1d14ac31
 
x86_64:
jboss-ec2-eap-7.5.15-3.Final_redhat_3.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1552
    MD5: ce691a68e7b094fb41f3ec53aee0f2e4
SHA-256: e3d802ac6bf0953c84cccce78b06f5b157294620aac056826170a445b533dd2e
jboss-ec2-eap-samples-7.5.15-3.Final_redhat_3.ep6.el6.noarch.rpm
File outdated by:  RHSA-2017:1552
    MD5: aabd7743a20f8950687793be542dbaaf
SHA-256: e9833c50b75e0c2b79daf39b59f1533bff12e0039eca0e2fcc6f3ffc1d14ac31
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1400644 - CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/