RHSA-2018:0294: Important: Red Hat JBoss Data Grid 7.1.2 security update
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.This release of Red Hat JBoss Data Grid 7.1.2 serves as a replacement for Red Hat JBoss Data Grid 7.1.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es): A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. (CVE-2017-7525) It was found that the Hotrod client in Infinispan would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. (CVE-2017-15089) A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970) Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525 and Man Yue Mo (Semmle/lgtm.com) for reporting CVE-2017-15089.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2018:0294?
The severity of RHSA-2018:0294 is categorized as moderate.
How do I fix RHSA-2018:0294?
To fix RHSA-2018:0294, update Red Hat JBoss Data Grid to version 7.1.2 or later.
What products are affected by RHSA-2018:0294?
RHSA-2018:0294 affects Red Hat JBoss Data Grid versions prior to 7.1.2.
What enhancements are included in RHSA-2018:0294?
RHSA-2018:0294 includes bug fixes and enhancements that improve the performance and stability of the software.
Is RHSA-2018:0294 essential for system security?
Yes, addressing RHSA-2018:0294 is essential to maintain the security and integrity of your Red Hat JBoss Data Grid deployment.