3 Replies Latest reply on Mar 1, 2016 9:44 AM by jdoyle

JBOSS-EAP 6.4.0 alpha version alslo affected by CVE-2015-0254?

cora.kwok Feb 25, 2016 11:07 PM

The following security issue is addressed with this release:

It was found that the Java Standard Tag Library (JSTL) allowed the

processing of untrusted XML documents to utilize external entity

references, which could access resources on the host system and,

potentially, allowing arbitrary code execution. (CVE-2015-0254)

Note: Tag Library users may need to take additional steps after applying

this update. Detailed instructions on the additional steps can be found

here:

I am using JBOSS-EAP 6.4.0 alpha version, then which version that I should used to apply the patch ?

First upgrade to JBOSS-EAP 6.4.0 and then applied the new patch ?

or first upgrade to jboss-eap-6.4-CVE-2015-7501.zip to apply the new patch for CVE-2015-0254 ?

or directly upgrade to JBOSS-EAP 6.4.6 ?

1. Re: JBOSS-EAP 6.4.0 alpha version alslo affected by CVE-2015-0254?

ctomc Feb 26, 2016 9:31 AM (in response to cora.kwok)

Patches are only provided for .GA releases and not for any preview builds (alpha,beta, cr)

I would recommend you to upgrade to 6.4.0.GA first and than apply 6.4.6 patch for it.
Actions
2. Re: JBOSS-EAP 6.4.0 alpha version alslo affected by CVE-2015-0254?

cora.kwok Feb 29, 2016 1:27 AM (in response to ctomc)

However, I could only find the version jboss-eap-6.4-CVE-2015-7501.zip to download.
Is this version Red Hat JBoss Enterprise Application Platform - Version 6.4.0.GA or jboss cr version ?
Actions
3. Re: JBOSS-EAP 6.4.0 alpha version alslo affected by CVE-2015-0254?

jdoyle Mar 1, 2016 9:44 AM (in response to cora.kwok)

That's for EAP 6.4, not for a community version.
Actions