3 Replies Latest reply on Mar 1, 2016 9:44 AM by John Doyle

    JBOSS-EAP 6.4.0 alpha version alslo affected by CVE-2015-0254?

    Cora Kwok Newbie

      The following security issue is addressed with this release:

       

      It was found that the Java Standard Tag Library (JSTL) allowed the

      processing of untrusted XML documents to utilize external entity

      references, which could access resources on the host system and,

      potentially, allowing arbitrary code execution. (CVE-2015-0254)

       

      Note: Tag Library users may need to take additional steps after applying

      this update. Detailed instructions on the additional steps can be found

      here:

      https://access.redhat.com/solutions/1584363

       

      I am using JBOSS-EAP 6.4.0 alpha version, then which version that I should used to apply the patch ?

       

      First upgrade to JBOSS-EAP 6.4.0 and then applied the new patch ?

      or first upgrade to jboss-eap-6.4-CVE-2015-7501.zip to apply the new patch for CVE-2015-0254 ?

      or directly upgrade to JBOSS-EAP 6.4.6 ?