Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2022:0524: Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update

An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2021-4104: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
  • CVE-2022-23302: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
  • CVE-2022-23305: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
  • CVE-2022-23307: log4j: Unsafe deserialization flaw in Chainsaw log viewer
Red Hat Security Data
Open in Source
#sql#vulnerability#web#linux#red_hat#apache#nodejs#js#java#kubernetes

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Red Hat Customer Portal

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus
  • Red Hat CodeReady Studio

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2022-02-14

Updated:

2022-02-14

RHSA-2022:0524 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302)
  • log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305)
  • log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307)
  • log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, ensure that all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Web Server 3 for RHEL 7 x86_64

Fixes

  • BZ - 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
  • BZ - 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
  • BZ - 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
  • BZ - 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer

CVEs

  • CVE-2021-4104
  • CVE-2022-23302
  • CVE-2022-23305
  • CVE-2022-23307

JBoss Enterprise Web Server 3 for RHEL 7

SRPM

log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.src.rpm

SHA-256: 54c553bdd01517f268758d172dfd050d891535bc675a11463af1b8c5599a7687

tomcat-native-1.2.23-26.redhat_26.ep7.el7.src.rpm

SHA-256: be24173f7d7b127de194a09fd14cfab117c37f06d26a75f68f0d886f3db596f9

tomcat7-7.0.70-46.ep7.el7.src.rpm

SHA-256: 1ff1ff4b8c914c3fb88e3d98ad0df9305157132493108bde2c5e0d1afa49f20c

tomcat8-8.0.36-49.ep7.el7.src.rpm

SHA-256: de99bf686c9538e19c38b0dee44556020ea8e935da50382cd5b6ddfd9e5cb92a

x86_64

log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.noarch.rpm

SHA-256: 04f9ba70cf8198ef65566fc4cc0430a685b7607c94cd8e598a6376f6cf5eef20

tomcat-native-1.2.23-26.redhat_26.ep7.el7.x86_64.rpm

SHA-256: 844f1fe9ac981148b9506442cd58d6b5447a3f396a028d5deefccc2319c6a712

tomcat-native-debuginfo-1.2.23-26.redhat_26.ep7.el7.x86_64.rpm

SHA-256: afbe355141e56f5f469cd2d6b0d06ab074fd7acdff28ea97150cf2a751de8986

tomcat7-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 6ea2e899b83437c1dc2ed98c3c091bc74b5dc631860a0fcf313e0f0d6ec10878

tomcat7-admin-webapps-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: cc9e3108a781d9675c3568a9de85558b6dcea20d9a4e4be74e5ad6ded8c44b6e

tomcat7-docs-webapp-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: e662f73f77e4a610d30eed6b4d685abd6353b46a6d75f34fd5076da8de089b38

tomcat7-el-2.2-api-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 4b027da0369362a037efb6d8937a43fb865e6cd321e441c404b5c55cd1196828

tomcat7-javadoc-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: a6e984d831903d5e8c7ccb1194a7d436a15ae10aa3db7fee01afefc9e44af1ca

tomcat7-jsp-2.2-api-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 29396a8b3e8cbb6532060cdd678af64f8874df41f6622686ebf3ec8dc4d05531

tomcat7-jsvc-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 14c4b3992a2bd9bf81dd23f32ac2dd12773db78f36edec8d62f95e579def3e8c

tomcat7-lib-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 911e1f23558642b15c2996f8feff9d61a456a6cecd23efb1596c86838d9e22ec

tomcat7-log4j-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: d0370a261d96397669828b90ebe708ae0fe1b0dbd07e2a5b7977a5fd1109e0eb

tomcat7-selinux-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 7b5203ca139afffd2abf2026d0b6776d73f89241d483fbeaf137e4e79dac4cc5

tomcat7-servlet-3.0-api-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 9c79b47b48f906b58a63e46d1a7f6b3e5c4328504050c2dd89b5157f890e1bfb

tomcat7-webapps-7.0.70-46.ep7.el7.noarch.rpm

SHA-256: 539c55a33c9aac608c743dc78d25974afbbff55b553d28fa221713cd18c769f7

tomcat8-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: a2147868709e653e5d8bdc4fe0199d50c1aa9b4990bebf2f5436b72f27eff758

tomcat8-admin-webapps-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 0658ed887012b129f9c9055c658a18f7a052f282a26dfb4e46ac7d27002c389e

tomcat8-docs-webapp-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: fd25205a5420d860936330c45cc5fb0c15a35401f3b7bc92e0647e625baf5f73

tomcat8-el-2.2-api-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 25a5c58a49c034f22be5bb1a953071541a73bde1e2f54c3332a35d2dd8194cc1

tomcat8-javadoc-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 685abcacc817d355bb7c5e503e6a509d875f872a50f84527c2bf9a9a475cc489

tomcat8-jsp-2.3-api-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 58d51a2e197001e02a00ba0969a82be4c7c44add1102cd0ba595e8076eba40b8

tomcat8-jsvc-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 393c1af5b4b284f4e20b360ed477cae54359d06c11b6df6b1f83ca6e68e81ae9

tomcat8-lib-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 28dc371cbd7c8a3ae24408e4122b1bc1e155f9cb2aaa635ffcc378e7e77e48cc

tomcat8-log4j-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: ec852e0d5ea664b88ea2600c94395ba57e6728a974372b3a7aafe227c9899b83

tomcat8-selinux-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 3e8429af5ed48f4a3d4f2b972f1298656df5df85c01f05701359f6e6ea652976

tomcat8-servlet-3.1-api-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: a73ca775ec03d8efc2a67568d5cb1236d3cf0175c9906fe008183d3deff682da

tomcat8-webapps-8.0.36-49.ep7.el7.noarch.rpm

SHA-256: 9df8de4cc519c6361dce0b17d3adde163848a4023d2430c7060dba1c891ec26c

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Red Hat Security Data