-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat JBoss Web Server 3.1 Service Pack 14 Security Update Advisory ID: RHSA-2022:0524-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2022:0524 Issue date: 2022-02-14 CVE Names: CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this release as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 14 serves as a replacement for Red Hat JBoss Web Server 3.1 Service Pack 13. This release includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink [jws-3] (CVE-2022-23302) * log4j-eap6: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender [jws-3] (CVE-2022-23305) * log4j-eap6: log4j: Unsafe deserialization flaw in Chainsaw log viewer [jws-3] (CVE-2022-23307) * log4j-eap6: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender [jws-3.1] (CVE-2021-4104) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, ensure that all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer 6. Package List: Red Hat JBoss Web Server 3.1 for RHEL 7: Source: log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.src.rpm tomcat-native-1.2.23-26.redhat_26.ep7.el7.src.rpm tomcat7-7.0.70-46.ep7.el7.src.rpm tomcat8-8.0.36-49.ep7.el7.src.rpm noarch: log4j-eap6-1.2.17-3.redhat_00008.1.ep6.el7.noarch.rpm tomcat7-7.0.70-46.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-46.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-46.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-46.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-46.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-46.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-46.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-46.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-46.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-46.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-46.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-46.ep7.el7.noarch.rpm tomcat8-8.0.36-49.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-49.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-49.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-49.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-49.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-49.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-49.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-49.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-49.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-49.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-49.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-49.ep7.el7.noarch.rpm x86_64: tomcat-native-1.2.23-26.redhat_26.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.23-26.redhat_26.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2022-23302 https://access.redhat.com/security/cve/CVE-2022-23305 https://access.redhat.com/security/cve/CVE-2022-23307 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYgrT4dzjgjWX9erEAQj44g//bj2uAK916aZAw3a6oe2SgNpqLT0dicUe UCEwR2Y6LpTX2taiD7J2PmVEJ8Jto4AGuUyQB9BQqoeTfJP7OwKhgoHmxYy0kxkK jTQlk/fFXGcQwP5n8CtI8h6Gda4/pCsbn5H9Po752H8zVRFlD6yMNMaZ/UHd1Wsh S68i0DteyNqRH3rqzueV/UphqzHTSm89E2iLlvwovT5O4WZnCrS4fHg0JCXDsMT/ vYGBogbJ9QsQa0wG8I4sm5PPZCAaHi0qRvexoSsySE/kpmLuIumlsc8ocB0bIYS8 pPFL4xvXgU6Hsu+bhVV6rJ7H9h3Gq1tG5WwITabEJ7k4hIbDT/SAk6YhXzqb9twL 8sUNjY+Z4mappgGrV/2eGXOzJNlbTaNFiZncGinGI0T/Z4lV3y4uP0jZFRZulM5k Oxc/q71hKWKiDFotxpZI0cGvdtFNE+Cf2JeG0eFZB9L70gzLy3qJYHyLjqEbGw8C mJ8IaLINQteIkFg2L1th2LHm6qzSr4xNIR89GiXHrFw+NwvtkZH+QQdtnSkFZ2Um hjUtkRWqkoiwqW9A0EZZ/eggP7jLpBdXSTrUYWNN35O8vXy/lmWgmrPPKROZ+4Kw PagDFpEmfTC1/TsiPHqDUamKVdRRSLbG/89yxdo9zBlLi7ZDuyL6Rwkynx8FqdG+ pmrRyDtn+Fg=Xp7H -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce