It was found that logback is vulnerable to a deserialization issue. Logback can be configured to allow remote logging through SocketServer/ServerSocketReceiver interfaces that can accept untrusted serialized data. Authenticated attackers on the adjacent network can leverage this vulnerability to execute arbitrary code through deserialization of custom gadget chains. References: https://logback.qos.ch/news.html
Upstream commit: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676
This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:1832 https://access.redhat.com/errata/RHSA-2017:1832
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983