Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

RedHat: RHSA-2020-2067-01 Important: Thorntail 2.5.1 Security Update

red hat
Calendar Grey May 18, 2020
Dist Redhat Esm H88
Ubuntu announces an essential patch for Nginx 1.20.0, fixing multiple vulnerabilities. Safeguard your servers now.
An update is now available for Red Hat build of Thorntail

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

The References section of this erratum contains a download link for the update. You must be logged in to download the update.

Summary

This release of Red Hat build of Thorntail 2.5.1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)
* cxf: does not restrict the number of message attachments (CVE-2019-12406)
* cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419)
* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
* HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
* HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)
* HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)
* jackson-databind: Multiple serialization gadgets (CVE-2019-17531, CVE-2019-16943, CVE-2019-16942, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14893, CVE-2019-14892, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-10969, CVE-2020-10968, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2019-20330, CVE-2020-8840)
* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672, CVE-2020-10673)
* keycloak: adapter endpoints are exposed via arbitrary URLs (CVE-2019-14820)
* keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875)
* keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201)
* keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199)
* keycloak: cross-realm user access auth bypass (CVE-2019-14832)
* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
* SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729)
* thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
* thrift: Endless loop when feed with specific input data (CVE-2019-0205)
* undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)
* wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)
* wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838)
* xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400)
For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.

Topics%20covered

Topics Covered

security advisory red hat bug fix remote execution important thorntail red hat openShift

References

https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-3875 https://access.redhat.com/security/cve/CVE-2019-9511 https://access.redhat.com/security/cve/CVE-2019-9512 https://access.redhat.com/security/cve/CVE-2019-9514 https://access.redhat.com/security/cve/CVE-2019-9515 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-10199 https://access.redhat.com/security/cve/CVE-2019-10201 https://access.redhat.com/security/cve/CVE-2019-10219 https://access.redhat.com/security/cve/CVE-2019-12400 https://access.redhat.com/security/cve/CVE-2019-12406 https://access.redhat.com/security/cve/CVE-2019-12419 https://access.redhat.com/security/cve/CVE-2019-14540 https://access.redhat.com/security/cve/CVE-2019-14820 https://access.redhat.com/security/cve/CVE-2019-14832 https://access.redhat.com/security/cve/CVE-2019-14838 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-14888 https://access.redhat.com/security/cve/CVE-2019-14892 https://access.redhat.com/security/cve/CVE-2019-14893 https://access.redhat.com/security/cve/CVE-2019-16335 Read the Full Advisory

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2020:2067-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2067
Issue date: 2020-05-18

Topic

An update is now available for Red Hat build of Thorntail.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for eachvulnerability. For more information, see the CVE links in the Referencessection.

Topics%20covered

Topics Covered

security advisory red hat bug fix remote execution important thorntail red hat openShift

Relevant Releases Architectures

Bugs Fixed

1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs

1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates

1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation

1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console

1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth

1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth

1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth

1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS

1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service

1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass

1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default

1755831 - CVE-2019-16335 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource

1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig

1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here