Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1052 Red Hat JBoss Enterprise Application Platform 7.3 security update 25 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Enterprise Application Platform 7.3 Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-1745 CVE-2019-14887 CVE-2019-0210 CVE-2019-0205 Reference: ESB-2020.1024 ESB-2020.0916 ESB-2020.0915 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:0961 https://access.redhat.com/errata/RHSA-2020:0962 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3 security update Advisory ID: RHSA-2020:0961-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0961 Issue date: 2020-03-24 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-14887 CVE-2020-1745 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. Security Fix(es): * The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). You must restart the JBoss server process for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 5. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXnnrgNzjgjWX9erEAQgg8w/+ORcAoBTRHPbiIvRbhhCHZbpF3LfSq94X nzuJM8BoE2Q60pzNsZ3Vb2/ns+IZJz2gnLGA9FYKpYM8SJfZEqsQT9IRzuzb77nF I3RqJKlxn1vxtuw+vNh9wiOw0D0xSetXaz7iICEKrGRtCQSnyAECLbpGHzgZ+zTM TFPjV81tYtrf1Osh60QsPzYp66D8CvApYyXOfAdxLXCspF+iBL6+1p0To0fskp8H BnGpiKgANlqBn8Thi0xnC+ogPVG83jNkCkuoh9tJY5OZmkXlkGujY+guEF3Zuizj fg2VV7AmJPWQPSMzn5Qu0Vm0uSNYZ+xdVJ6sqVWePVpOst4iavvMxqYP5jqPo/WS /5F0Wn5zjCzxuC4ODMuanxEvXsvBoQJMOq1YiVB590oNeaWsYiI2FvxdPLW4q/8T dnvagoZDjlWX+3HwTz6dx+WiQ0I/jgNomfB91Exd6wjniyTgwtFipIC06JcxZg5u n66UmR0qnXqhWB7ho6W4+FpsJamqRAQHbYX450s6USu9oyVTFXQXa7JEA97+DBC6 M9y8RWVhc7dAj9D3EVebwcXlVaTUWC99/ovxe19qKZIUVNsindG0tWAgGy7gu9xC zM39nafy7XLU4T9HBrxyxpUFlw3OMd1zKQGd5nnJ7VjcybVvV3LAi07XnzdpM+ND ANlsz/b+zeg= =xKZW - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3 security update Advisory ID: RHSA-2020:0962-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0962 Issue date: 2020-03-24 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-14887 CVE-2020-1745 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch, x86_64 Red Hat JBoss EAP 7.3 for RHEL 6 Server - noarch, x86_64 Red Hat JBoss EAP 7.3 for RHEL 7 Server - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. Security Fix(es): * The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 6. Package List: Red Hat JBoss EAP 7.3 for RHEL 6 Server: Source: eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el6eap.src.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el6eap.src.rpm eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el6eap.src.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el6eap.src.rpm eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el6eap.src.rpm noarch: eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el6eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el6eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el6eap.noarch.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el6eap.noarch.rpm eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el6eap.noarch.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el6eap.noarch.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el6eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.9-2.SP03_redhat_00001.1.el6eap.x86_64.rpm Red Hat JBoss EAP 7.3 for RHEL 7 Server: Source: eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el7eap.src.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el7eap.src.rpm eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el7eap.src.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el7eap.src.rpm eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el7eap.src.rpm noarch: eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el7eap.noarch.rpm eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el7eap.noarch.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el7eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.9-2.SP03_redhat_00001.1.el7eap.x86_64.rpm Red Hat JBoss EAP 7.3 for BaseOS-8: Source: eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el8eap.src.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el8eap.src.rpm eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el8eap.src.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el8eap.src.rpm eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el8eap.src.rpm noarch: eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el8eap.noarch.rpm eap7-undertow-2.0.28-4.SP1_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el8eap.noarch.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el8eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.9-2.SP03_redhat_00001.1.el8eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXnnxl9zjgjWX9erEAQg0Kg//SqSxSEZGGRcaHJePfJ3GtY1E6EcqTJAm SsnW0in2uP/PXicnAV5sCQtaw7GbmsIArm5SSPabYnpvkHVUxgBSmRFzd0Rga3Uh Q3JhI6kdaZkDz/q+o6IRl/SwY046elslZuO6QbNnnnMMBq+Nz8OUky5pGHeadfHY kMF1J3OSdi1gRblsqeSh5j0OC6cyCBD9yjUzmN36cMEqZzdOAcS06hNqEwHtCuQE eFBPSHmelXs4nk2OyMMW77uXHDAiTvVgvhjXXj7tzVa3Mhn731jaITu1gBnx7g9b rqzlB4j5jawpuTjmdaOmmKaN8DnAf938po7vNKB7SYzRDV1EG3Av8/IWKI1ooFVN 1zXrVhoL5Myes8GezS24LzzkX26NNAhgE2VqOu9BaFPEct4wM7IZ8xTNRYkuGpqu 8+IqwK5XDNOcV25q+5XNAYCBTf13B/bAY9nz63DOf1M3Xje44YUOjb4njAupwCWA YX0s37ZcoaSaX6jW9c7qMl0z+hyy+QY/C1uGz2jbAe4FJDukqU07R6QMBglrYgXm hZxEFfM49nhPZ8TCgULssJcHMt1fBQDZmEgfcga17einBTtrTDjofP9XT+1maecU dbAuSkb1J9SIYhyVicwvQGyqW5Hw8fpiChLdFe7It8os+N/viGpETJ6v6NKQ8U4r z0cTVdArboc= =SCgd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXnrcMWaOgq3Tt24GAQhbXRAAkMRZOtwnoTm/F4ywcV33l9tobYokRQ2x XraKSHSujKcOsq0bxGGgFOtqXBC13b7u+70ZS7jh9VcjrueeqGyd4PKelNa0OXM7 8+LYXnKImywF1fN24bHechjwEJhwhk3U1w81zs60ZHSagQi4BwI7Xx0igphyg5Kt ijAdyyzDOkPFNqIYArbOyctSJG8apJAuE/Esukvgfwp2RcmAzLzDdMxqIwLJB+q3 MQT+WKUzsRoOM3eQyZzK/hwxcomW/nTg95ULvaLT17ti81nXoT/HLDd1awyDEkfe 8TCw3kd3rZ/wn1ggGuGRjp+2PeJxNJIPVIEoILq4huWxNxNbS7SNwPM0BWdxD1/r uZSotosvlh7hczB17K+NRC9NQfc9svYVU52uObZpMNjHvYLbtiNY2UBkLpvUPMS2 v3UTBBrA3ausFWUFiHqryxfLDhcjeoRoWO1go/AyoZNRIotl9x9JC43Wmd4xvD50 jUyugOd2VjUS41urHKwM1svHI+/ToIrXZoyQ9f0CN7NiVpqtQUdpz+PvA6enPbMA owYKE2d2wPnembu9BodobJLC1+mzKSvVfBf61bdAlXAN66ZIu0h4yuWHmqi6raXH agvWzcNTs1waiHj/W+jqM9wSZmu5kAMFO4WGxPI1FacMFZLckvbiKd0RVAOFAH3M xHxXKFa4IIM= =G0sC -----END PGP SIGNATURE-----