Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.9 on RHEL 7 security update

CVE-2020-8840 — jackson-databind: Lacks certain xbean-reflect/JNDI blocking CVE-2020-9546 — jackson-databind: Serialization gadgets in shaded-hikari-config CVE-2020-9547 — jackson-databind: Serialization gadgets in ibatis-sqlmap CVE-2020-9548 — jackson-databind: Serialization gadgets in anteros-core CVE-2020-10672 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10673 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-13936 — velocity: arbitrary code execution when attacker is able to modify templates CVE-2021-3717 — wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users CVE-2021-44228 — log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value CVE-2021-45046 — log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) CVE-2022-1471 — SnakeYaml: Constructor Deserialization Remote Code Execution CVE-2022-41881 — codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS CVE-2022-42003 — jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS CVE-2022-42004 — jackson-databind: use of deeply nested arrays CVE-2022-42889 — apache-commons-text: variable interpolation RCE CVE-2022-45047 — mina-sshd: Java unsafe deserialization vulnerability CVE-2022-45693 — jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos CVE-2022-46363 — CXF: directory listing / code exfiltration