Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2407 Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update 17 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Web Server Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 6 Impact/Access: Unauthorised Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-8020 CVE-2018-8019 CVE-2018-8014 Reference: ESB-2018.2214 ESB-2018.1630 ESB-2018.1509 ESB-2018.1882.2 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2470 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update Advisory ID: RHSA-2018:2469-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2018:2469 Issue date: 2018-08-16 CVE Names: CVE-2018-8014 CVE-2018-8019 CVE-2018-8020 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 6 - i386, noarch, x86_64 Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014) * tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019) * tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates (CVE-2018-8020) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: * OpenSSL (1.0.2n) * APR (1.6.3) CVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland (Red Hat). 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins 1581569 - CVE-2018-8020 tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates 1583998 - CVE-2018-8019 tomcat-native: Mishandled OCSP invalid response 6. JIRA issues fixed (https://issues.jboss.org/): JWS-1042 - version.txt information is outdated 7. Package List: Red Hat JBoss Web Server 3.1 for RHEL 6: Source: tomcat-native-1.2.17-17.redhat_17.ep7.el6.src.rpm tomcat7-7.0.70-27.ep7.el6.src.rpm tomcat8-8.0.36-31.ep7.el6.src.rpm i386: tomcat-native-1.2.17-17.redhat_17.ep7.el6.i686.rpm tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el6.i686.rpm noarch: tomcat7-7.0.70-27.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.70-27.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.70-27.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.70-27.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.70-27.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-27.ep7.el6.noarch.rpm tomcat7-jsvc-7.0.70-27.ep7.el6.noarch.rpm tomcat7-lib-7.0.70-27.ep7.el6.noarch.rpm tomcat7-log4j-7.0.70-27.ep7.el6.noarch.rpm tomcat7-selinux-7.0.70-27.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-27.ep7.el6.noarch.rpm tomcat7-webapps-7.0.70-27.ep7.el6.noarch.rpm tomcat8-8.0.36-31.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.36-31.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.36-31.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.36-31.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.36-31.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-31.ep7.el6.noarch.rpm tomcat8-jsvc-8.0.36-31.ep7.el6.noarch.rpm tomcat8-lib-8.0.36-31.ep7.el6.noarch.rpm tomcat8-log4j-8.0.36-31.ep7.el6.noarch.rpm tomcat8-selinux-8.0.36-31.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-31.ep7.el6.noarch.rpm tomcat8-webapps-8.0.36-31.ep7.el6.noarch.rpm x86_64: tomcat-native-1.2.17-17.redhat_17.ep7.el6.x86_64.rpm tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el6.x86_64.rpm Red Hat JBoss Web Server 3.1 for RHEL 7: Source: tomcat-native-1.2.17-17.redhat_17.ep7.el7.src.rpm tomcat7-7.0.70-27.ep7.el7.src.rpm tomcat8-8.0.36-31.ep7.el7.src.rpm noarch: tomcat7-7.0.70-27.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-27.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-27.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-27.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-27.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-27.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-27.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-27.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-27.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-27.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-27.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-27.ep7.el7.noarch.rpm tomcat8-8.0.36-31.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-31.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-31.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-31.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-31.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-31.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-31.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-31.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-31.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-31.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-31.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-31.ep7.el7.noarch.rpm x86_64: tomcat-native-1.2.17-17.redhat_17.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2018-8014 https://access.redhat.com/security/cve/CVE-2018-8019 https://access.redhat.com/security/cve/CVE-2018-8020 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW3WR79zjgjWX9erEAQjlJg/7B/blF5ZtOnLSuOnQ/LjTGMkCv5Z7nFEn 171ytXEHOM4UXNMg5ggssnTf4M3N6UyieCe52stymJ+x3Kx3UORaIQasme1rAUJz V8pYH+x84mBAGMjbtMz30FDRiZMdr2bW/Ck3dg4YFUperbh1e+Ybhm9mFBigK5s2 5Dkg/OzY02VkbzLUTzXikxw8SJafuynmn2TUuYM9kG0mlJU+/YFCnwZfVjzRCRnm 8J4a9d9rkXc/tUy1Mj8cmifuMRMhbf+OAjyglS/r3ggZ9B7wjBJXKMsJj8TiOgCl IImLdZMVlP5/muunweL3JABz7etslp73CtJ8rJTM+ZvWSrIneogFgpF3SCBFiBti XnnNSgSLcZ9O1vVPrvAbEx7HO23QUgEltGor+meyigGc8P9l/PrCIdDOK1ncfzZ+ sA5WiCsIv461PTAHxV2fdDxtctfSp989KwK9rTK4o1k6uOlIyu8lY1MBqK8/47gu 7Qt42rF5+ESR4UwSbZRV4ZW7RxbYlRngkXj5c7O0XZ5YCHiVlBXnL6WUEDoYkwna nQSaan2X3G8V6O0+lhFe71qeP9SSFouc9c3mY3MzQH2tQhgcQXZL/XoxVDjcHLLI Kub/UMtxUnE1fgH7M2DQWlmk3ixCzmt2FrIDd+dDLW6g3IWLiBbTFYY7lx9+YrvN wRJOjUadoUA= =Ua8H - -----END PGP SIGNATURE----- - ------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update Advisory ID: RHSA-2018:2470-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2018:2470 Issue date: 2018-08-16 CVE Names: CVE-2018-8014 CVE-2018-8019 CVE-2018-8020 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014) * tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019) * tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates (CVE-2018-8020) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. The following packages have been upgraded to a newer upstream version: * OpenSSL (1.0.2n) * APR (1.6.3) CVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland (Red Hat). 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins 1581569 - CVE-2018-8020 tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates 1583998 - CVE-2018-8019 tomcat-native: Mishandled OCSP invalid response 5. JIRA issues fixed (https://issues.jboss.org/): JWS-1042 - version.txt information is outdated 6. References: https://access.redhat.com/security/cve/CVE-2018-8014 https://access.redhat.com/security/cve/CVE-2018-8019 https://access.redhat.com/security/cve/CVE-2018-8020 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1 https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW3WPWtzjgjWX9erEAQjl5A/8Deu9yTNmt4FBz2l24kIqbks3FrYHmLe6 IzdVcjS5Hy3Cs0Um9fx0xLX4r4+ONjJu2u6JgCbPX/m1BuLiA74RtCNJTzKUCgOV R/6X3ve6oVmX+rx4aNAV3TAKguK7jTuhqNwd8g8sNSbtMmWpI5Tjinv76WTGAGzr UZsZHjAep9MAmLLI/kKd4fiFoLEpby2UAo/jT+9eDL/CQj1EIc5N854NNvATfid7 ib+Op64qsmNhFr4hvZJ9Hq4W678K34hBHyRTlmcU2Cnwqx2/knIJcgpNeQTEGWPm cpCj+8aYg4I91ih0rM3nEnnl92vb2iZT/EwusQfT/fCtvpk806/Wvu3IctQKUKgP weqSqlqhp3THQEAXKaISvkRC52a3LHME0U4UEScw2fl2I3l4h+2Oz5fmOmApRBjD 8ZxeeIXqgdoncvDfr0AToPdrhV/oEsMyfIlsFvHCQTCFBV7+mKLQUkcN3wNfdbOv uGFJ5/yeBbpSwcwvsuiiqrcB7Yf+5KYQTV5crYb+9ypBBDnAK3io7UHB6mc9uoCX y8ihcJgDXlQQe85zNwcvjmlPrC+yq27Z5GLwrzUKChhhHqr4RbvhBjx5xQjf7wcY n2GJUkF6hImie5oOSn0fzPClnlFvMHw0pidSGr19o5xeBxn8lHzykMczRLZ2KbR+ b6r30hMVGgE= =BflZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW3ZR32aOgq3Tt24GAQg2xA/8CyxRVlX/zLPwioV2WYTErGwGzL/wddnN e84q2tfxvqQFsIHHM5P/4VQfUZFapm64PA34XH7hBrfBYOkNPMVsdsdUGVIVp6MV q5dsjlPKEmPi5OCTuY26rVmgpoeFDv7UdDn9rdzqpsdINoCAeh7Xc57sBPxb5NzD NBBEHPyvkzjg7CWYbLUfnshkAVK72ZmFQJImYTbSGuAkRXERcSauQCh+8Bc9+GIn S68RhK3NwhyfRDj1yzNrnBPxuMFoPd60dfAezPLUJqhO6OFLayHMOjjhHUg7rLJr samvOJR9W/h+cppJrYvtqsDObzW9HuhgProkYettoeKijK9Xf0sTfffH681EJCOw HVlhNWlTH66Us0U8n8FOjrvdSlPz5saljyclD3ArddCKbLJbg346YCetpSaSjvxU We6TSwfidjK+hnoReooi1p/QbdzjH83vZVQGWUm6yu6rkC2IJebDyqatnFygvBfn mZlU4qXBhCeaWHlahS7/2sJ0yDtmBEwR2fD8VdJml/Ze0BlShh9K3MDSowiJKWvB Eb0wYCptC8LGzutLI0HK7y/f0QHDYuiPL/c/A5okAPO9LjsBwsgQdDXXcASxFpQ4 bDPJjAIM2+jtAAqQj2JCczrGjDSDjIimdCSZmIgSeQpSObHxbpr+LK5Nl1iV9G1g A56j7ITAy+o= =AEJP -----END PGP SIGNATURE-----