Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 524
Alerts This Week
Warning Icon 1 524

Red Hat JBoss Core Services Update: RHSA-2019-1297-01 Important DoS Fix

red hat
Calendar Grey May 30, 2019
Dist Redhat Esm H88
Crucial patch released for Red Hat JBoss Core Services tackling severe security flaws. Update immediately to safeguard your systems.
An update is now available for JBoss Core Services on RHEL 6 and RHEL 7

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Summary

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 2 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked to in the References section.
Security Fix(es):
* openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732)
* openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495)
* httpd: privilege escalation from modules scripts (CVE-2019-0211)
Details around this issue, including information about the CVE, severity of the issue, and CVSS scores can be found on the CVE pages listed in the References section below.

References

https://access.redhat.com/security/cve/CVE-2018-0495 https://access.redhat.com/security/cve/CVE-2018-0732 https://access.redhat.com/security/cve/CVE-2019-0211 https://access.redhat.com/security/updates/classification#important

Package List

Red Hat JBoss Core Services on RHEL 6 Server:
Source: jbcs-httpd24-httpd-2.4.29-40.jbcs.el6.src.rpm jbcs-httpd24-openssl-1.0.2n-15.jbcs.el6.src.rpm
i386: jbcs-httpd24-httpd-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-httpd-debuginfo-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-httpd-devel-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-httpd-selinux-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-httpd-tools-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-mod_ldap-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-mod_proxy_html-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-mod_session-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-mod_ssl-2.4.29-40.jbcs.el6.i686.rpm jbcs-httpd24-openssl-1.0.2n-15.jbcs.el6.i686.rpm jbcs-httpd24-openssl-debuginfo-1.0.2n-15.jbcs.el6.i686.rpm jbcs-httpd24-openssl-devel-1.0.2n-15.jbcs.el6.i686.rpm jbcs-httpd24-openssl-libs-1.0.2n-15.jbcs.el6.i686.rpm jbcs-httpd24-openssl-perl-1.0.2n-15.jbcs.el6.i686.rpm jbcs-httpd24-openssl-static-1.0.2n-15.jbcs.el6.i686.rpm
noarch: jbcs-httpd24-httpd-manual-2.4.29-40.jbcs.el6.noarch.rpm
x86_64: jbcs-httpd24-httpd-2.4.29-40.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.29-40.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.29-40.jbcs.el6.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.29-40.jbcs.el6.x86_64.rpm

Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2019:1297-01
Product: Red Hat JBoss Core Services
Issue date: 2019-05-30

Topic

An update is now available for JBoss Core Services on RHEL 6 and RHEL 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE links in the References section.

Relevant Releases Architectures

Red Hat JBoss Core Services on RHEL 6 Server - i386, noarch, x86_64

Red Hat JBoss Core Services on RHEL 7 Server - noarch, x86_64

Bugs Fixed

1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang

1591163 - CVE-2018-0495 openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries

1694980 - CVE-2019-0211 httpd: privilege escalation from modules scripts

6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

JBCS-620 - httpd segfaults when doing graceful reload

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.