Red Hat RHEL 8: RHSA-2020-2513-01 Important: JBoss EAP Security Fix
red hat
June 11, 2020
An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8
Solution
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
Summary
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.1 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.0,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.3.1 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* cxf: reflected XSS in the services listing page (CVE-2019-17573)
* cxf-core: cxf: OpenId Connect token service does not properly validate
the clientId (CVE-2019-12423)
* jackson-mapper-asl: XML external entity similar to CVE-2016-3720
(CVE-2019-10172)
* undertow: servletPath in normalized incorrectly leading to dangerous
application mapping which could result in security bypass (CVE-2020-1757)
* jackson-databind: XML external entity similar to CVE-2016-3720
(CVE-2019-10172)
* jackson-mapper-asl: XML external entity similar to CVE-2016-3720
(CVE-2019-10172)
* resteasy-jaxrs: resteasy: Improper validation of response header in
MediaTypeHeaderDelegate.java class (CVE-2020-1695)
* cryptacular: excessive memory allocation during a decode operation
(CVE-2020-7226)
* smallrye-config: SmallRye: SecuritySupport class is incorrectly public
and contains a static method to access the current threads context class
loader (CVE-2020-1729)
* resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected
XSS attack (CVE-2020-10688)
* jackson-databind: Lacks certain xbean-reflect/JNDI blocking
(CVE-2020-8840)
* undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
* jackson-databind: Serialization gadgets in shaded-hikari-config
(CVE-2020-9546)
* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)
* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)
* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)
* libthrift: thrift: Endless loop when feed with specific input data
(CVE-2019-0205)
* libthrift: thrift: Out-of-bounds read related to TJSONProtocol or
TSimpleJSONProtocol (CVE-2019-0210)
* wildfly: The 'enabled-protocols' value in legacy security is not
respected if OpenSSL security provider is in use (CVE-2019-14887)
* jsf-impl: Mojarra: Path traversal via either the loc parameter or the con
parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
* jsf-impl: mojarra: Path traversal in
ResourceManager.java:getLocalePrefix() via the loc parameter
(CVE-2018-14371)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, see the CVE page(s) listed in the
References section.
Topics Covered
References
https://access.redhat.com/security/cve/CVE-2018-14371 https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10172 https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1729 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-7226 https://access.redhat.com/security/cve/CVE-2020-8840 https://access.redhat.com/security/cve/CVE-2020-9546 https://access.redhat.com/security/cve/CVE-2020-9547 https://access.redhat.com/security/cve/CVE-2020-9548 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ Read the Full Advisory
Package List
Red Hat JBoss EAP 7.3 for BaseOS-8:
Source:
eap7-activemq-artemis-2.9.0-4.redhat_00010.1.el8eap.src.rpm
eap7-apache-cxf-3.3.5-1.redhat_00001.1.el8eap.src.rpm
eap7-bouncycastle-1.60.0-2.redhat_00002.1.el8eap.src.rpm
eap7-codehaus-jackson-1.9.13-10.redhat_00007.1.el8eap.src.rpm
eap7-cryptacular-1.2.4-1.redhat_00001.1.el8eap.src.rpm
eap7-elytron-web-1.6.1-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-glassfish-jaxb-2.3.3-4.b02_redhat_00001.1.el8eap.src.rpm
eap7-glassfish-jsf-2.3.9-10.SP09_redhat_00001.1.el8eap.src.rpm
eap7-hal-console-3.2.8-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-hibernate-5.3.16-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-infinispan-9.4.18-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-ironjacamar-1.4.20-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jackson-annotations-2.10.3-1.redhat_00001.1.el8eap.src.rpm
eap7-jackson-core-2.10.3-1.redhat_00001.1.el8eap.src.rpm
eap7-jackson-databind-2.10.3-1.redhat_00001.1.el8eap.src.rpm
eap7-jackson-jaxrs-providers-2.10.3-1.redhat_00001.1.el8eap.src.rpm
eap7-jackson-modules-base-2.10.3-1.redhat_00001.1.el8eap.src.rpm
eap7-jackson-modules-java8-2.10.3-1.redhat_00001.1.el8eap.src.rpm
eap7-jaegertracing-jaeger-client-java-0.34.3-1.redhat_00001.1.el8eap.src.rpm
eap7-jakarta-el-3.0.3-1.redhat_00002.1.el8eap.src.rpm
Read the Full Advisory
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2020:2513-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2513
Issue date: 2020-06-10
Topic
An update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.3 for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Topics Covered
Relevant Releases Architectures
Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch
Bugs Fixed
1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter
1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId
1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page
1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation
1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader
1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371
1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!