### Vulnerability Key Information - **Announcement ID**: RHSA-2018:1450 - **Release Date**: 2018-05-14 - **Update Date**: 2018-05-14 - **Type/Severity**: Important - **Subject**: Red Hat JBoss Enterprise Application Platform 6.4.20 Security Update #### Affected Products - JBoss Enterprise Application Platform 6.4 for RHEL 5 x86_64 - JBoss Enterprise Application Platform 6.4 for RHEL 5 i386 - JBoss Enterprise Application Platform 6 for RHEL 5 x86_64 - JBoss Enterprise Application Platform 6 for RHEL 5 i386 #### Fixed Vulnerabilities - CVE-2016-4978: Apache ActiveMQ Artemis: Deserialization of Untrusted Input Vulnerability - CVE-2017-3163: solr: Directory Traversal via Index Replication HTTP API - CVE-2017-7525: jackson-databind: Insecure Deserialization Due to Incomplete Blacklist - CVE-2017-15095: jackson-databind: Insecure Deserialization Due to Incomplete Blacklist - CVE-2017-17485: jackson-databind: Insecure Deserialization Due to Incomplete Blacklist - CVE-2018-8088: slf4j: Deserialization Vulnerability in EventData Constructor Allowing Arbitrary Code Execution - CVE-2018-1304: tomcat: Improper Handling of Empty String URLs in Security Constraints May Lead to Unintended Resource Exposure - CVE-2018-7489: jackson-databind: Incomplete Fix for CVE-2017-7525 Allows Insecure Serialization via c3p0 Library - CVE-2018-8088: slf4j: Deserialization Vulnerability in EventData Constructor Allowing Arbitrary Code Execution #### Remediation Steps - Before applying this update, ensure that all previously released system-related errata have been applied. - For detailed instructions on how to apply this update, see: https://access.redhat.com/articles/11258 #### References - Security Update Classification: https://access.redhat.com/security/updates/classification/#important - Documentation: https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=6.4