RedHat: RHSA-2020-2321:01 Important: Red Hat Data Grid 7.3.6 security update

    Date 26 May 2020
    224
    Posted By LinuxSecurity Advisories
    An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: Red Hat Data Grid 7.3.6 security update
    Advisory ID:       RHSA-2020:2321-01
    Product:           Red Hat JBoss Data Grid
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2321
    Issue date:        2020-05-26
    CVE Names:         CVE-2018-10862 CVE-2019-0205 CVE-2019-0210 
                       CVE-2019-10086 CVE-2019-10219 CVE-2019-14540 
                       CVE-2019-16869 CVE-2019-16942 CVE-2019-16943 
                       CVE-2019-17267 CVE-2019-20444 CVE-2019-20445 
                       CVE-2020-7238 
    =====================================================================
    
    1. Summary:
    
    An update for Red Hat Data Grid is now available.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the
    Infinispan project.
    
    This release of Red Hat Data Grid 7.3.6 serves as a replacement for Red Hat
    Data Grid 7.3.5 and includes bug fixes and enhancements, which are
    described in the Release Notes, linked to in the References section of this
    erratum.
    
    Security Fix(es):
    
    * wildfly-core: Path traversal can allow the extraction of .war archives to
    write arbitrary files (Zip Slip) (CVE-2018-10862)
    
    * apache-commons-beanutils: does not suppresses the class property in
    PropertyUtilsBean by default (CVE-2019-10086)
    
    * netty: HTTP request smuggling by mishandled whitespace before the colon
    in HTTP headers (CVE-2019-16869)
    
    * netty: HTTP request smuggling (CVE-2019-20444)
    
    * netty: HttpObjectDecoder.java allows Content-Length header to accompanied
    by second Content-Length header (CVE-2019-20445)
    
    * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace
    mishandling (CVE-2020-7238)
    
    * thrift: Endless loop when feed with specific input data (CVE-2019-0205)
    
    * thrift: Out-of-bounds read related to TJSONProtocol or
    TSimpleJSONProtocol (CVE-2019-0210)
    
    * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
    
    * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
    (CVE-2019-14540)
    
    * jackson-databind: Serialization gadgets in
    org.apache.commons.dbcp.datasources.* (CVE-2019-16942)
    
    * jackson-databind: Serialization gadgets in
    com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)
    
    * jackson-databind: Serialization gadgets in classes of the ehcache package
    (CVE-2019-17267)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    3. Solution:
    
    To install this update, do the following:
    
    1. Download the Data Grid 7.3.6 server patch from the customer portal. See
    the download link in the References section.
    2. Back up your existing Data Grid installation. You should back up
    databases, configuration files, and so on.
    3. Install the Data Grid 7.3.6 server patch. Refer to the 7.3 Release Notes
    for patching instructions.
    4. Restart Data Grid to ensure the changes take effect.
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1593527 - CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)
    1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
    1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
    1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package
    1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
    1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
    1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
    1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
    1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
    1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
    1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
    1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
    1798524 - CVE-2019-20444 netty: HTTP request smuggling
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2018-10862
    https://access.redhat.com/security/cve/CVE-2019-0205
    https://access.redhat.com/security/cve/CVE-2019-0210
    https://access.redhat.com/security/cve/CVE-2019-10086
    https://access.redhat.com/security/cve/CVE-2019-10219
    https://access.redhat.com/security/cve/CVE-2019-14540
    https://access.redhat.com/security/cve/CVE-2019-16869
    https://access.redhat.com/security/cve/CVE-2019-16942
    https://access.redhat.com/security/cve/CVE-2019-16943
    https://access.redhat.com/security/cve/CVE-2019-17267
    https://access.redhat.com/security/cve/CVE-2019-20444
    https://access.redhat.com/security/cve/CVE-2019-20445
    https://access.redhat.com/security/cve/CVE-2020-7238
    https://access.redhat.com/security/updates/classification/#important
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=patches&version=7.3
    https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXs0/WtzjgjWX9erEAQj6YBAAprUkyGaWcz+RYX6fFXboPsTp+DryzK86
    I0qkM7+AcdotKa113mC6JYxxCdTScRDpEMro4hlhgdk1tkFKarlT0ygK8pQiR0JP
    lQ6Orkf267u6Dgl/WcycTYhmWL3ZnBujKf+Lw9hrI5BqHMCHkxUYTJtQoolqfEHR
    Kjm84Ztf3xb29Olrcho4AkQQruHdoc9BYDN0cVdLcO4cprYhBFxU7PFXZy6+YtiJ
    5QJwfeGnHIQcSLfaGjsLno2K4ZxRfwMX04xWn7hAaYRQV7CIfcPjqj0mCyEVfDND
    0a3WbgiMwMvkT6B0E9e7fQy02nlQbPKvsTBcvb4f0a0iJ5fJYljMowcWl0j+7Jtj
    CCdlaMEcVnk/ABF5ShP7HdB3gbEnPPQrFMIcpOwYDBxxnpR0PwqL8mGSroJD1Pp9
    S2OLc0HxqMEKmiqtJWY74+ltCSIFx0GwdkimhWJ7wnQitpIFRNeWyAMdz9IuqVXX
    Tcyys8aKXk+vZAYrCSckD4JFvguUPMcp9XJ7wANkHVlBgW0pcTdbro6jIii/xRZa
    v4mWhkNkw9qr3aIkOZ+FdcNxDkhWWq8INV5+4I8ueqebBUibl6KLptcgbs5aUauz
    KYhyKl0qcAczrmDGZK3EhvZzCWCm/NfLG8Mv9+YgIdErJg8xgeLceaoKlwDtbsWm
    ajI0qVNl6Bs=
    =dbVJ
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Are you considering making the switch to Purism's new Librem 14 Linux laptop to improve your security and privacy online?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/31-are-you-considering-making-the-switch-to-purism-s-new-librem-14-linux-laptop-to-improve-your-security-and-privacy-online?task=poll.vote&format=json
    31
    radio
    [{"id":"109","title":"Yes - the hardware kill switches and default ad blocking\/tracking protection sold me on it.","votes":"3","type":"x","order":"1","pct":37.5,"resources":[]},{"id":"110","title":"Not sure yet - I need to do more research.","votes":"4","type":"x","order":"2","pct":50,"resources":[]},{"id":"111","title":"No - I'm satisfied with my current laptop and have no security\/privacy concerns.","votes":"1","type":"x","order":"3","pct":12.5,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.