Linux Security
    Linux Security
    Linux Security

    RedHat: RHSA-2020-2905:01 Important: Red Hat build of Thorntail 2.7.0

    Date
    231
    Posted By
    An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: Red Hat build of Thorntail 2.7.0 security and bug fix update
    Advisory ID:       RHSA-2020:2905-01
    Product:           Red Hat OpenShift Application Runtimes
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2905
    Issue date:        2020-07-23
    CVE Names:         CVE-2019-12423 CVE-2019-17573 CVE-2020-1695 
                       CVE-2020-1697 CVE-2020-1698 CVE-2020-1714 
                       CVE-2020-1718 CVE-2020-1719 CVE-2020-1724 
                       CVE-2020-1727 CVE-2020-1732 CVE-2020-1744 
                       CVE-2020-1745 CVE-2020-1757 CVE-2020-6950 
                       CVE-2020-10688 CVE-2020-10705 CVE-2020-10719 
    =====================================================================
    
    1. Summary:
    
    An update is now available for Red Hat build of Thorntail.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each
    vulnerability. For more information, see the CVE links in the References
    section.
    
    2. Description:
    
    This release of Red Hat build of Thorntail 2.7.0 includes security updates,
    bug fixes, and enhancements. For more information, see the release notes
    listed in the References section.
    
    Security Fix(es):
    
    * Wildfly: EJBContext principal is not popped back after invoking another
    EJB using a different Security Domain (CVE-2020-1719)
    
    * cxf: reflected XSS in the services listing page (CVE-2019-17573)
    
    * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)
    
    * Mojarra: Path traversal via either the loc parameter or the con
    parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
    
    * resteasy: Improper validation of response header in
    MediaTypeHeaderDelegate.java class (CVE-2020-1695)
    
    * undertow: servletPath is normalized incorrectly leading to dangerous
    application mapping which could result in security bypass (CVE-2020-1757)
    
    * keycloak: stored XSS in client settings via application links
    (CVE-2020-1697)
    
    * keycloak: problem with privacy after user logout (CVE-2020-1724)
    
    * keycloak: Password leak by logged exception in HttpMethod class
    (CVE-2020-1698)
    
    * cxf: OpenId Connect token service does not properly validate the clientId
    (CVE-2019-12423)
    
    * Soteria: security identity corruption across concurrent threads
    (CVE-2020-1732)
    
    * keycloak: missing input validation in IDP authorization URLs
    (CVE-2020-1727)
    
    * keycloak: failedLogin Event not sent to BruteForceProtector when using
    Post Login Flow with Conditional-OTP (CVE-2020-1744)
    
    * keycloak: security issue on reset credential flow (CVE-2020-1718)
    
    * keycloak: Lack of checks in ObjectInputStream leading to Remote Code
    Execution (CVE-2020-1714)
    
    * RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected
    XSS attack (CVE-2020-10688)
    
    * undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
    
    * undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-
    continue" header (CVE-2020-10705)
    
    For more details about the security issues and their impact, the CVSS
    score, acknowledgements, and other related information, see the CVE pages
    listed in the References section.
    
    3. Solution:
    
    Before applying the update, back up your existing installation, including
    all applications, configuration files, databases and database settings, and
    so on.
    
    The References section of this erratum contains a download link for the
    update. You must be logged in to download the update.
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
    1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
    1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
    1790292 - CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class
    1791538 - CVE-2020-1697 keycloak: stored XSS in client settings via application links
    1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
    1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow
    1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId
    1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page
    1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout
    1800573 - CVE-2020-1727 keycloak: missing input validation in IDP authorization URLs
    1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads
    1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header
    1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371
    1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP
    1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
    1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
    1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2019-12423
    https://access.redhat.com/security/cve/CVE-2019-17573
    https://access.redhat.com/security/cve/CVE-2020-1695
    https://access.redhat.com/security/cve/CVE-2020-1697
    https://access.redhat.com/security/cve/CVE-2020-1698
    https://access.redhat.com/security/cve/CVE-2020-1714
    https://access.redhat.com/security/cve/CVE-2020-1718
    https://access.redhat.com/security/cve/CVE-2020-1719
    https://access.redhat.com/security/cve/CVE-2020-1724
    https://access.redhat.com/security/cve/CVE-2020-1727
    https://access.redhat.com/security/cve/CVE-2020-1732
    https://access.redhat.com/security/cve/CVE-2020-1744
    https://access.redhat.com/security/cve/CVE-2020-1745
    https://access.redhat.com/security/cve/CVE-2020-1757
    https://access.redhat.com/security/cve/CVE-2020-6950
    https://access.redhat.com/security/cve/CVE-2020-10688
    https://access.redhat.com/security/cve/CVE-2020-10705
    https://access.redhat.com/security/cve/CVE-2020-10719
    https://access.redhat.com/security/updates/classification/#important
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.thorntail&version=2.7.0
    https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/release_notes_for_thorntail_2.7/
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXxk2rdzjgjWX9erEAQjSbQ//e0FG83JQFpQV7HUEsjPMB7+tT0UgoTXQ
    KnfasEPEP7wnPU07lZiVW94sxhUC/hAhce1KWIR3nT3uesMO4S+7o2vmgOwax1G7
    yYsG1SRX4KK5Ma7Qvyx8lM+6TN0MNNrXGvFsqcYF1pJBL/1tfZfb/ciiqjrsR0Tp
    v20FKuNrNmn4IPRzN04AZafOG9tXQ8XMqkJaWxh8s4dupvElG4ywmYletwYLYMxS
    5X+SVmQ9TtGSgJF6HUGoL0wsTbMtdlJPRrchhbjzAi00ZY5hElVa+MOzdyCFYygv
    ev0iz9m0foF1bXfbJTfpzbOnz/f3uJUTKCzz+mLf3voeqbvXnzUNn74MXZQynR8G
    LNFVpLo0U/d0wULkSSdFjqer+IxeUWRwcl2km1U42f+0BiCb4K3uHIjhkfAdRFFQ
    7K8Nl/2GfJnLywD8693xSKi/6MeCHC2HhrYb9A89lXoebX/3WXkNUC4ReGL80+fg
    3z7793xt6QzV9V+WOH8NbQS4SzpAOkusHMew7sQpLxU8r9uaF1KibshjUGq/rZlA
    YswTjYHqNLja7kx8GDejpO/RAhMq6asm38YtFzY+Qtipe8xcAxSrTiO6FLN+Xv0M
    YlvsaeWblymoLwbQ5ON59VoFFe1YgzIQP0CJEbWbnJl0UHdIldAbv22e4Trnw58t
    ZwsJot3fnjU=
    =2k8f
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    Advisories

    LinuxSecurity Poll

    Which aspect of server security are you most interested in learning more about?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/38-which-aspect-of-server-security-are-you-most-interested-in-learning-more-about?task=poll.vote&format=json
    38
    radio
    [{"id":"131","title":"Preventing information leakage","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"132","title":"Firewall considerations","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"133","title":"Permissions ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.