## Critical Vulnerability Information **Overview** - **Advisory ID:** RHSA-2018:0294 - **Release Date:** 2018-02-12 - **Update Date:** 2018-02-12 **Type/Severity** - **Severity:** Important **Subject** - Red Hat JBoss Data Grid 7.1.2 is now available for download. **Vulnerability Description** - **CVE-2017-7525:** A deserialization vulnerability in jackson-databind allows unauthenticated users to execute arbitrary code by sending maliciously crafted input to the ObjectMapper's readValue method. - **CVE-2017-15089:** The Infinispan Hotrod client insecurely reads deserialized data from the cache. An authenticated attacker can inject malicious objects into the data cache and trigger deserialization on the client, potentially leading to further attacks. - **CVE-2014-9970:** A vulnerability in Jasypt allows attackers to perform timing attacks on password hash comparisons. **Solution** - Download links and solution details can be found in the "References" section of the advisory. - Before applying the update, back up your existing Red Hat JBoss Data Grid installation (including databases, configuration files, etc.). **Affected Products** - Red Hat JBoss Data Grid Text-Only Advisories x86_64 **Fix Records** - **CVE-2014-9970:** BZ - 1455566 - **CVE-2017-7525:** BZ - 1462702 - **CVE-2017-15089:** BZ - 1503610 **References** - [Severity Classification](https://access.redhat.com/security/updates/classification/#important) - [JBoss Network List Software](https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=distributions&version=7.1.2) - [Red Hat Data Grid 7.1.2 Release Notes](https://docs.redhat.com/en/documentation/red_hat_data_grid/7.1/html/7.1.2_release_notes) - [Red Hat JBoss Data Grid Documentation](https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Grid/)