RedHat: RHSA-2017-3219:01 Moderate: jboss-ec2-eap security, bug fix,
Summary
The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise
Application Platform running on the Amazon Web Services (AWS) Elastic
Compute Cloud (EC2).
With this update, the jboss-ec2-eap package has been updated to ensure
compatibility with Red Hat JBoss Enterprise Application Platform 6.4.18.
Security Fix(es):
* It was found that while parsing the SAML messages the StaxParserUtil
class of Picketlink replaces special strings for obtaining attribute values
with system property. This could allow an attacker to determine values of
system properties at the attacked system by formatting the SAML request ID
field to be the chosen system property which could be obtained in the
"InResponseTo" field in the response. (CVE-2017-2582)
This issue was discovered by Hynek Mlnarik (Red Hat).
Summary
Solution
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
References
https://access.redhat.com/security/cve/CVE-2017-2582 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/
Package List
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server:
Source:
jboss-ec2-eap-7.5.18-1.Final_redhat_1.ep6.el6.src.rpm
noarch:
jboss-ec2-eap-7.5.18-1.Final_redhat_1.ep6.el6.noarch.rpm
jboss-ec2-eap-samples-7.5.18-1.Final_redhat_1.ep6.el6.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
Topic
An update for jboss-ec2-eap is now available for Red Hat JBoss EnterpriseApplication Platform 6.4 for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch
Bugs Fixed
1410481 - CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties