-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Data Grid 7.3.5 security update
Advisory ID:       RHSA-2020:0729-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:0729
Issue date:        2020-03-05
CVE Names:         CVE-2015-9251 CVE-2019-14888 CVE-2019-14892 
                   CVE-2019-14893 CVE-2019-16335 
====================================================================
1. Summary:

An update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the
Infinispan project.

This release of Red Hat Data Grid 7.3.5 serves as a replacement for Red Hat
Data Grid 7.3.4 and includes bug fixes and enhancements, which are
described in the Release Notes, linked to in the References section of this
erratum.

Security Fix(es):

* undertow: possible Denial Of Service (DOS) in Undertow HTTP server
listening on HTTPS (CVE-2019-14888)

* js-jquery: Cross-site scripting via cross-domain ajax requests
(CVE-2015-9251)

* jackson-databind: Serialization gadgets in classes of the
commons-configuration package (CVE-2019-14892)

* jackson-databind: Serialization gadgets in classes of the xalan package
(CVE-2019-14893)

* jackson-databind: polymorphic typing issue related to
com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

To install this update, do the following:

1. Download the Data Grid 7.3.5 server patch from the customer portal.
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 7.3.5 server patch. Refer to the 7.3 Release Notes
for patching instructions.
4. Restart Data Grid to ensure the changes take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
1755831 - CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource
1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package
1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package
1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS

5. References:

https://access.redhat.com/security/cve/CVE-2015-9251
https://access.redhat.com/security/cve/CVE-2019-14888
https://access.redhat.com/security/cve/CVE-2019-14892
https://access.redhat.com/security/cve/CVE-2019-14893
https://access.redhat.com/security/cve/CVE-2019-16335
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches
https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXmD64dzjgjWX9erEAQhVEw//YhsuCp6jWyCTmV4ityeuQbAfugDZbDil
UgLHKB9LytAPXZunO8F+JpvNUAjTuPuJCXoTLY75Qz50v1Tdi1sCFr4oeQcpwkTZ
L3+x5F4p8B+xAWTtmP+dM/36OClSLDvKcT+wLcwIZs9uUhXt5a/eMcbGkEvDRqeS
56WULWu2uHYhOPr3l7SaL3V0+7GTH3QsaeqNTohn8wsSjsdVWJwh4L8St1MVdPiI
qraV1nN5DY0uqHfkIdZJY5dnhJ43PVvSgf9TS+0GFYZN78F9FMQQi94MRHQbNOuc
LJrbiVXWgyDBIPJCA0Nu5TYutIdRcD6agHXeFay2SRCEMxfXdtFVEstInAOMy7g8
daH7DGPvNG9tyC32uKJpq11/3qCulfJ2WzIocuLUnBTg13pjhpOGTSG5h+kxTybR
IU83IP24lVZOdkbXv/9GBWPwyOPpZO1IO7zUTaGPoRbGW+167pRoMp8LG28NCth3
mENbW2oBk/sAQbiUQ6oQntKmLBOC4yQDAskvWTf82csrcve0kAcOCFU5ivnRt4Mf
mePrVsHc1O/WHFyoZP9TPX99h0jYKHKxP8VE81RT2MkQmnPkL1UQcnFmtutcVqEd
LNNW7Y8V6thdeZRspwAR575lqYzq59dNkGeINHuWTv4DWHQTneVcJB7a1fAvcFB6
6hUzIjSDmgY=NGTq
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-0729:01 Important: Red Hat Data Grid 7.3.5 security update

An update for Red Hat Data Grid is now available

Summary

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.
This release of Red Hat Data Grid 7.3.5 serves as a replacement for Red Hat Data Grid 7.3.4 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.
Security Fix(es):
* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)
* js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)
* jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)
* jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

To install this update, do the following:
1. Download the Data Grid 7.3.5 server patch from the customer portal. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.5 server patch. Refer to the 7.3 Release Notes for patching instructions. 4. Restart Data Grid to ensure the changes take effect.

References

https://access.redhat.com/security/cve/CVE-2015-9251 https://access.redhat.com/security/cve/CVE-2019-14888 https://access.redhat.com/security/cve/CVE-2019-14892 https://access.redhat.com/security/cve/CVE-2019-14893 https://access.redhat.com/security/cve/CVE-2019-16335 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index

Package List


Severity
Advisory ID: RHSA-2020:0729-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0729
Issued Date: : 2020-03-05
CVE Names: CVE-2015-9251 CVE-2019-14888 CVE-2019-14892 CVE-2019-14893 CVE-2019-16335

Topic

An update for Red Hat Data Grid is now available.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests

1755831 - CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource

1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package

1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package

1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS


Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved