Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2984 Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update 4 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Web Server 5.0 Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-8037 Reference: ESB-2018.2751 ESB-2018.2563 ESB-2018.2125.2 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2867 https://access.redhat.com/errata/RHSA-2018:2868 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update Advisory ID: RHSA-2018:2867-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2018:2867 Issue date: 2018-10-03 CVE Names: CVE-2018-8037 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: Information Disclosure (CVE-2018-8037) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1607582 - CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up 5. JIRA issues fixed (https://issues.jboss.org/): JWS-1028 - Failures in jBPM embedded use case with H2 database JWS-1064 - Update the Tomcat fork of Commons DBCP 2 to 2.4.0 JWS-1065 - Tomcat Commons Pool Update JWS-1121 - Update the internal fork of Apache Commons DBCP 2 to abc0484 (2018-08-09) to pick up some bug fixes and enhancements JWS-1124 - ARJUNA016082: Synchronizations are not allowed! Transaction status isActionStatus.RUNNING when running jBPM engine in KIE server deployed to Tomcat JWS-996 - Connection leak during XATransaction in high load 6. References: https://access.redhat.com/security/cve/CVE-2018-8037 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW7THqNzjgjWX9erEAQhgBxAAgwpl1DjA+TIE/cOEgBlQZX4X3E5JrNCg 1dwWdv5Z14a7Nl5F/MdCzQvv0eGdfn41zXV+NN5ZDkPFDfa9bBsgHDop9uxYGZzR PcBUvm225DvMk6us4EL730Qt75OiAAfDucbmd1p0WNKyEsZtqoMLEsXuU6cCQ3gs /4PAuFx0G8JUBR9QilIa8RCnJEIqGKDBXk2vAxeAau14/3fku+D/KAKUFZCFUj7E YtUYk2SC+AJ9cx1nD97SgFVZrcIJ1enEycpZvMLH0PzEFhjhPe36TRZ+eUKhZG6Z 9DdW7muv9hzXYvw0iFNjtkryHDIKgiDGmF6boQTaBlstzunnn9Pke9aWzbeeQUCp 1s6htjj86txJgiK9QROh27JvzokPwHChx3ru4QCHRDz0QVfjjz49fiCh9KMxadmp mCcfqcgmNwKcMPPgyXYx7SOdlthCH23hVL+H0V7Tm8T6awXc0XtZKA2RtzQspfrJ HMuu0WZiRx8akBhTk0AnBmMWmHHRIB9JxYpMJ1bOFyd900XiEM4Si/whuy5vDG7v e5SGoN4Kmz1uq/oPaQexJEOKKBspVFWPqaRUtDR7g34mV67SLWWM6YnMjpexvpO3 v8vYqHQ/nfczdKtmOYGHfTiq7Z7jg/rGwGAy1khYG0w4OjUx3w44t1Ktrwnnm3Oj eF2NcyN46CA= =9lKT - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update Advisory ID: RHSA-2018:2868-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2018:2868 Issue date: 2018-10-03 CVE Names: CVE-2018-8037 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 5.0 for RHEL 6 Server - noarch Red Hat JBoss Web Server 5.0 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: Information Disclosure (CVE-2018-8037) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1607582 - CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up 6. JIRA issues fixed (https://issues.jboss.org/): JWS-1028 - Failures in jBPM embedded use case with H2 database JWS-1064 - Update the Tomcat fork of Commons DBCP 2 to 2.4.0 JWS-1065 - Tomcat Commons Pool Update JWS-1121 - Update the internal fork of Apache Commons DBCP 2 to abc0484 (2018-08-09) to pick up some bug fixes and enhancements JWS-1124 - ARJUNA016082: Synchronizations are not allowed! Transaction status isActionStatus.RUNNING when running jBPM engine in KIE server deployed to Tomcat JWS-996 - Connection leak during XATransaction in high load 7. Package List: Red Hat JBoss Web Server 5.0 for RHEL 6 Server: Source: jws5-tomcat-9.0.7-12.redhat_12.1.el6jws.src.rpm noarch: jws5-tomcat-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-javadoc-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-jsvc-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-lib-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-selinux-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.7-12.redhat_12.1.el6jws.noarch.rpm jws5-tomcat-webapps-9.0.7-12.redhat_12.1.el6jws.noarch.rpm Red Hat JBoss Web Server 5.0 for RHEL 7 Server: Source: jws5-tomcat-9.0.7-12.redhat_12.1.el7jws.src.rpm noarch: jws5-tomcat-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-javadoc-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-jsvc-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-lib-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-selinux-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.7-12.redhat_12.1.el7jws.noarch.rpm jws5-tomcat-webapps-9.0.7-12.redhat_12.1.el7jws.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2018-8037 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW7TKBdzjgjWX9erEAQgv2w//b0WmHF7IhiuF2KkEgvgrPRcNbqpacOLc MHSO0HgNUoR8mdr2Z+UFoCLZhS5kFZW03szLg2kLtLDiiQ+tpyS2vgd8yMnlflk7 IShY06vUuUWUj6IbLm3jJ5X+/rWg0TiOGzyUeMzL3sTHCztYxq0Z0DRH/O9UI5uR Ys21MeYEk1GbufB54jac1pq9RHUOaPH96012lY9Bb2rUiqviRyPAJHo0VfNnwMT0 xhK2kJQaWr8W5wbpgnoIzROgOj9tblVrOMgKuAHV5baIum4PKj53Q7ENysj4+nda 66ArbSNqA/kBXaCzNp35WVczJwM+G11OGErJPNq2Be8zD1pUP4yFtAYS0xzYYHgh fcm/uO9SMNGio+KAoZsK6U7e574nJ+HpmqbdrwAR8hclo2wJRDTLTPdXMvtlx5TC 4dlz4k89Q3ILMmOs/jZOXtHLAyRGJ4S+EZqGWzgx9RjWSdC6zGfe5PLWUe98mVHl zGULna1ltafSBEzgcnNQzd7O7O3OMQaN+EQA0uTDXrfvi4KHgJHSrKOXRtG04P2w HPblNKBCXkfKxJvATLlkfWjXqqBMKZO/wxeNSQ4iMvBHThyTDyOX9lejL+LcJQ+a nqT4qZJOJjF/QNODxoeDJ4aJL6T+a/usR9Q6VpoYLc6+udCXx7RTe8r6tZ6sWn+M Fz7ABRm8n7I= =Mx45 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW7VuzGaOgq3Tt24GAQieDw//drkj4PqE3t/YwH0xsG8ko0M7YfJP1Rcx 2cAIeHcTdZpvaGnTtL5wWBKfQtqxFtthVrKy5XcDaVXmyGXF0RJ7USZeaCDD3l38 E4jnT1FfDmvNBEEjgYQgOFhRSm78pEtpj8xkT54W3rrgDm/EL0RwyEEfdvnGNqQH n5tp1owCif6whqo+xTd6S1hLUYWilaAyU07Cm0Y31U8ctDksSWA3UNoZvm7PTyHJ S1h61dpUma3M9QARnftkP2056S2FD+X6zmIAmigeBmlD2UwUXgTRuT8NV7E+3T9G sHsES+Cz14MAPzhLcifinzh3Yp41eBCaP/hG56iBXtBw2tuyeQu+e5EUd8Ll2q7X uCPdnUGE7BLoSyHZ+w+OiNbBYFfVQFpAbI7RUysDme8qxnq1mJTvN/1W7uPofNH8 oRxd/XfLa4aSk5uhjNCkcU/FIb5kRGIM66CYlLFiTQd/cZjHu5WmdL/w69Yv3nm5 uvaY++0QlqspL0C1qnHGTaiv0xrkhKLENhtgLVqG9pfAZ7cIVOt1nXQurg/Bl6OM 18lQe0tCiUswnJq3Cg0tdt9D0ZAbjbxweDBF7d69m9JUsyRfZ90Cp5SGepsGuadx 5CpWRfxaPOkSUoHno4KLy2tsrJNCWbdnQzlxT0EPkZDOtRp3n6hWxx1pyATQHwCZ we74XUANz8E= =2dCK -----END PGP SIGNATURE-----