Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0180 Moderate: Red Hat JBoss Web Server 3.1 Service Pack 6 security and bug fix update 23 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: JBoss Web Server Publisher: Red Hat Operating System: Red Hat Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-11784 CVE-2018-8034 Reference: ESB-2018.3742.3 ESB-2018.3703 ESB-2018.3274 ESB-2018.3201 ESB-2018.2951 ESB-2018.2751 ESB-2018.2600 ESB-2018.2563 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0131 Comment: This bullentin contains two (2) advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.1 Service Pack 6 security and bug fix update Advisory ID: RHSA-2019:0131-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2019:0131 Issue date: 2019-01-22 CVE Names: CVE-2018-8034 CVE-2018-11784 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 6 - i386, noarch, x86_64 Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 5 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: host name verification missing in WebSocket client (CVE-2018-8034) * tomcat: Open redirect in default servlet (CVE-2018-11784) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1607580 - CVE-2018-8034 tomcat: host name verification missing in WebSocket client 1636512 - CVE-2018-11784 tomcat: Open redirect in default servlet 6. JIRA issues fixed (https://issues.jboss.org/): JWS-1140 - [ASF BZ 62892] tomcat-native memory leak when using Mutual authentication + OCSP 7. Package List: Red Hat JBoss Web Server 3.1 for RHEL 6: Source: tomcat-native-1.2.17-18.redhat_18.ep7.el6.src.rpm tomcat7-7.0.70-31.ep7.el6.src.rpm tomcat8-8.0.36-35.ep7.el6.src.rpm i386: tomcat-native-1.2.17-18.redhat_18.ep7.el6.i686.rpm tomcat-native-debuginfo-1.2.17-18.redhat_18.ep7.el6.i686.rpm noarch: tomcat7-7.0.70-31.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.70-31.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.70-31.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.70-31.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.70-31.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-31.ep7.el6.noarch.rpm tomcat7-jsvc-7.0.70-31.ep7.el6.noarch.rpm tomcat7-lib-7.0.70-31.ep7.el6.noarch.rpm tomcat7-log4j-7.0.70-31.ep7.el6.noarch.rpm tomcat7-selinux-7.0.70-31.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-31.ep7.el6.noarch.rpm tomcat7-webapps-7.0.70-31.ep7.el6.noarch.rpm tomcat8-8.0.36-35.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.36-35.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.36-35.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.36-35.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.36-35.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-35.ep7.el6.noarch.rpm tomcat8-jsvc-8.0.36-35.ep7.el6.noarch.rpm tomcat8-lib-8.0.36-35.ep7.el6.noarch.rpm tomcat8-log4j-8.0.36-35.ep7.el6.noarch.rpm tomcat8-selinux-8.0.36-35.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-35.ep7.el6.noarch.rpm tomcat8-webapps-8.0.36-35.ep7.el6.noarch.rpm x86_64: tomcat-native-1.2.17-18.redhat_18.ep7.el6.x86_64.rpm tomcat-native-debuginfo-1.2.17-18.redhat_18.ep7.el6.x86_64.rpm Red Hat JBoss Web Server 3.1 for RHEL 7: Source: tomcat-native-1.2.17-18.redhat_18.ep7.el7.src.rpm tomcat7-7.0.70-31.ep7.el7.src.rpm tomcat8-8.0.36-35.ep7.el7.src.rpm noarch: tomcat7-7.0.70-31.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-31.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-31.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-31.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-31.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-31.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-31.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-31.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-31.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-31.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-31.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-31.ep7.el7.noarch.rpm tomcat8-8.0.36-35.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-35.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-35.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-35.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-35.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-35.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-35.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-35.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-35.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-35.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-35.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-35.ep7.el7.noarch.rpm x86_64: tomcat-native-1.2.17-18.redhat_18.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.17-18.redhat_18.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2018-8034 https://access.redhat.com/security/cve/CVE-2018-11784 https://access.redhat.com/security/updates/classification/#moderate 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -------------------------------------------------------------------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.1 Service Pack 6 security and bug fix update Advisory ID: RHSA-2019:0130-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2019:0130 Issue date: 2019-01-22 CVE Names: CVE-2018-8034 CVE-2018-11784 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 6 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: host name verification missing in WebSocket client (CVE-2018-8034) * tomcat: Open redirect in default servlet (CVE-2018-11784) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1607580 - CVE-2018-8034 tomcat: host name verification missing in WebSocket client 1636512 - CVE-2018-11784 tomcat: Open redirect in default servlet 5. JIRA issues fixed (https://issues.jboss.org/): JWS-1140 - [ASF BZ 62892] tomcat-native memory leak when using Mutual authentication + OCSP 6. References: https://access.redhat.com/security/cve/CVE-2018-8034 https://access.redhat.com/security/cve/CVE-2018-11784 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXEcdYtzjgjWX9erEAQiB1BAAmNiplBS4OfFnNU/Tlz7Zoy/hx2c1iKIg 8Mi+dtEkraNUuJEBqR6XCbWJjO5gNZ8HzmR6tyunEPdjYM4hJz6oc5mKDm2Cqsyn aa5juvH5pKgXw2KIo8UiV0fnAFmj4El3sahqerbSzpwRCNIJVwtL1zfh2MhQNgn1 TwYseJUPgTHzD2pR2+4+W8extd/Hjn6zsdLGH8otHyDyZcvPV/nfa5VovIMKeHd4 V6UemwYgFp1YU7xfffdkLXzr2c5l6evjy8klVBUb5pjC44FNnCrxQRZm4B/Gt6M/ WiFPDy3PVC5C2P64glCkmG+r5E/IrXYTL32rDmK5tIOkVrFPjyc9e2NmPP1bnJV5 VptpiE6cfIQoEi8ouNxJSd093hMBfaOBYsDoaMAYVk+VrS0W5O2+URPpvXB9PKUP ce8hXekLbe+yXz1UroydUlwZeSB/kKcXBBJp60xXHrVS5N5OSoYZ4TKpAUyxXLZh 9JGqQiCvzdwo46KGkkFJygSv0qGyEZpnCrY4TqAzibJ1XYVXAQ4wwlxoClWi1AnB 4yowBzke2LXJNNGnr9fkFAXVUtIVpKgKeyvo1QUKZfShj4ste5B2DKOiqESxT5Y8 waLBil8JSNALHh1ooeUAPA346vlF5MV6wMQL08YAwwgaXM22r6mURbwAtWWecGRx rxiiJ2FyIyo= =8aLw - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXEetlmaOgq3Tt24GAQgZqg/+PQhpI/qtTtABrUQpOjeWOg2QN3hB/M3I uMw99cpQxtEEVWqt3c7nVockI36FbvoM8aGrDaZZxcmoAEHVKvqFbOg4XYMGINvq L2lrTR80YBY2s0+fyXjOfhD9w+EfLrgx/y2daVIvwfaF6ZW//CPxpDXqcVCIS7TQ 0gSLiYEiQUtF7ROEsMu+lfdSRbx7gckLGn/xzN/sUwE18eXE/fwDuol5h0MOLq1M u2Jt9/eoY7k7NYEdCn+hu0ZF4eILl8XHhUWXj404rPnZfkFx5CM3nTLfJt8+BkBe CWLDifpyuB980xbq9nSK7b+DhygFo1bch/aOs1O3S9y6npdi/rHTNNDSVHOJDDs6 xvQKXETuwEzEY1++Hk5o7gPjDVMG1DLEkktTlDDOoeVP2i/B54/84Blegbl7ACoM 32p/nwQ9gIRJSfR7aIm8/D9MncHxlLAKK3PFwt2IDpLmn8vB5ql8KjzqBiX6pSq7 zQ47DD9vrWyIMTS/XWZIH+XXiATt6lB78IJ2FjOMjoHfdkn/Gie+krhMe6+hsdbO UamwiNvHKUbKkjQQLH/es/5f2/2w+HWenS1nBy8jH8AroRc59v/ysVnhtpUbXtLg pL96OH/9Dz5L667nXIiJPoFgknhh0mdOCEx9WNgDyyu+5huWZkyXpTejtp93SyHu 46Asetz9RnY= =lINl -----END PGP SIGNATURE-----