Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3847
jss security update
16 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jss
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-14823
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:3067
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running Java Security Services check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: jss security update
Advisory ID: RHSA-2019:3067-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3067
Issue date: 2019-10-15
CVE Names: CVE-2019-14823
=====================================================================
1. Summary:
An update for jss is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Java Security Services (JSS) provides an interface between Java Virtual
Machine and Network Security Services (NSS). It supports most of the
security standards and encryption technologies supported by NSS including
communication through SSL/TLS network protocols. JSS is primarily utilized
by the Certificate Server as a part of the Identity Management System.
Security Fix(es):
* JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
(CVE-2019-14823)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1747435 - CVE-2019-14823 JSS: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
jss-4.4.6-3.el7_7.src.rpm
x86_64:
jss-4.4.6-3.el7_7.x86_64.rpm
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
jss-javadoc-4.4.6-3.el7_7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
jss-4.4.6-3.el7_7.src.rpm
x86_64:
jss-4.4.6-3.el7_7.x86_64.rpm
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
jss-javadoc-4.4.6-3.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
jss-4.4.6-3.el7_7.src.rpm
ppc64:
jss-4.4.6-3.el7_7.ppc64.rpm
jss-debuginfo-4.4.6-3.el7_7.ppc64.rpm
ppc64le:
jss-4.4.6-3.el7_7.ppc64le.rpm
jss-debuginfo-4.4.6-3.el7_7.ppc64le.rpm
s390x:
jss-4.4.6-3.el7_7.s390x.rpm
jss-debuginfo-4.4.6-3.el7_7.s390x.rpm
x86_64:
jss-4.4.6-3.el7_7.x86_64.rpm
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
jss-debuginfo-4.4.6-3.el7_7.ppc64.rpm
jss-javadoc-4.4.6-3.el7_7.ppc64.rpm
ppc64le:
jss-debuginfo-4.4.6-3.el7_7.ppc64le.rpm
jss-javadoc-4.4.6-3.el7_7.ppc64le.rpm
s390x:
jss-debuginfo-4.4.6-3.el7_7.s390x.rpm
jss-javadoc-4.4.6-3.el7_7.s390x.rpm
x86_64:
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
jss-javadoc-4.4.6-3.el7_7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
jss-4.4.6-3.el7_7.src.rpm
x86_64:
jss-4.4.6-3.el7_7.x86_64.rpm
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
jss-debuginfo-4.4.6-3.el7_7.x86_64.rpm
jss-javadoc-4.4.6-3.el7_7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-14823
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXaYG2dzjgjWX9erEAQgl4g//ewrQoDnHj/0NSspcLsuSGJXO8QdmejJz
StEKgBRw7oEKYKY3nVabUv0VKewaNtiaL8ZyxzQAq7Kp1+CnG2dA3mp08qA8Qua3
3KvjKN7d+/Y1BqfzIhom3uPqDWxTigkePbx9Ln2WnT+Yhv04zqbxsT9Dcuv6YbET
AxxHQvwiSDDiCiHNAQi0DAXncBWfW1hjWIGAIofYuI5HHzlOo6BOyWkMNtnLFgcZ
ljSHMcvLVbgFbSjpSIM2wM/bSUZXJhxxiCdA3T8Shi8EL04UB7uEsCpCEUKJ9wed
1kLWvhKG1hLnaAl9L0taKUlMStMWVmzIgBr2vsoDpdJOpaQn3In8VmTBnQIQj/A+
CgAp7NzZg+pRbKtGaQg0fTTktXTef2NlahSye41v1GVaxgJeyeGcxlVzVPFibBQt
T3OFe0hXKMjPmO99Rz+cr/cDJpD2m1uXrOnAGfkTAewXVyBNPOrpG50hodMda7gP
q2mtO5FCmExX7dQm1LyxitKNKg6dJbXwCi+QYTcqyPT1mY3pf7cXfrFVZ8ZXO+xY
7PPB3+L/09vBt1vSvSfndzBXx+aMt3zQq1D+l4Y3MfXXkm0nTTUj3ZKKymyNS1ey
AFeBpxt181bvq42pH1xqNTQXH8EZZmNTIeaXe9sK7N7/4HYZ/MVSf2DcZ1JopFP+
ypW9kz0D1CM=
=AWDo
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXaZwfWaOgq3Tt24GAQgANhAAzKIcwyH2uj+NNm/rAJT08gRKsNwxuBqz
BRlm/2qi6tVpUI+NetrKdiVsY9waZEqgfHSumOVnivu4nFCpI3jHVs7ucpb9njxl
BqaBb6i9s5PjxEb47z5dN9bvwT0eaLhjW+WD6M1apUlXDrEuAXKxTPGT4M/q+ful
Ra+YWPJX69TjSA7X1VjRH6fjw3u39MUfR51pqhcRHMdKoLUfJkze71b2KyyQEiwf
ET2se68ejHMlVA1uiYYdmaXAxIfeE7ugjp2kdzNer3CXM72V6OlqoIXjscFFKyOC
zmu9GJVMCtN9jQ3kaSMjIBnNBMtpQbx6eAM5kPqU2wopjC+TtAEJBH4VioHzna/q
JS5X+e/TFElFUHIZ74B0jpJhWse5n+Womx7iL4+EIvunyXO03LsakHHKR9NdBp9R
FKHfJXgljEOwE0j9GWzCe7EoxHbIEt6ICU61E22p47zLvhx9aH4QjTzWnQ97rki2
i3wMmRe46I/LE0cgHOlgk151C28YquqLvWn0DQM9pOAdpsAWB4MaIzCLocnPGWfs
DF1tG7RfgRIeKTW4pv9JEpk6gf6u1iip51MdAfe0IzhisYItPSyHX/2wJuZ81Wvg
PuvMX9Tmv2Ss/QJKPbm2qLh+0FMcLotlGLxypzxVvhdeaboM3JaaNnSJquiMngcz
kJ2OC7WtUN4=
=XHWJ
-----END PGP SIGNATURE-----