RHSA-2022:0507: Important: Red Hat JBoss Data Virtualization 6.4.8.SP2 security update
First published: Thu Feb 10 2022(Updated: )
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.<br>This Service Pack release of Red Hat JBoss Data Virtualization 6.4.8.SP2 (Service Pack 2) serves as a replacement for Red Hat JBoss Data Virtualization 6.4.8 and Red Hat JBoss Data Virtualization 6.4.8.SP1, and mitigates the impact of the log4j CVE's referenced in this document by removing the affected classes from the patch.<br>Note: customers should update their EAP 6.4 installation with the corresponding security fixes that have been released for that (see RHSA-2022:0437 and <a href="https://access.redhat.com/site/solutions/625683)" target="_blank">https://access.redhat.com/site/solutions/625683)</a> Security Fix(es):<br><li> log4j: deserialization of untrusted data in SocketServer (CVE-2019-17571)</li> <li> log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender (CVE-2022-23305)</li> <li> log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)</li> <li> log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender (CVE-2021-4104)</li> <li> log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink (CVE-2022-23302)</li> <li> log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1785616
- https://bugzilla.redhat.com/show_bug.cgi?id=1831139
- https://bugzilla.redhat.com/show_bug.cgi?id=2031667
- https://bugzilla.redhat.com/show_bug.cgi?id=2041949
- https://bugzilla.redhat.com/show_bug.cgi?id=2041959
- https://bugzilla.redhat.com/show_bug.cgi?id=2041967
- https://access.redhat.com/security/updates/classification/#important
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.4
- https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.4/html/release_notes/
- https://access.redhat.com/errata/RHSA-2022:0507 (Advisory)
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2022:0507
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness