Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

RedHat: RHSA-2020-3585-01 Important Update for JBoss EAP Technical Preview

red hat
Calendar Grey August 31, 2020
Dist Redhat Esm H88
Oracle releases vital security patch for WebLogic Server, tackling severe vulnerabilities and improving overall safety.
This is a security update for JBoss EAP Continuous Delivery 20

Solution

Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.

You must restart the JBoss server process for the update to take effect.

The References section of this erratum contains a download link (you must log in to download the update)

Summary

Red Hat JBoss Enterprise Application Platform CD20 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform CD20 includes bug fixes and enhancements.
Security Fix(es):
* jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371)
* jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
* hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header (CVE-2020-10705)
* wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
* undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
* netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)
* wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)
* cxf-core: cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
* jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory update red hat important jboss technical preview eap

References

https://access.redhat.com/security/cve/CVE-2018-14371 https://access.redhat.com/security/cve/CVE-2019-10172 https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1954 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-10673 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10705 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-11612 https://access.redhat.com/security/updates/classification#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=eap-cd&version=20 https://docs.redhat.com/en/documentation/jboss_enterprise_application_platform_continuous_delivery/20

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2020:3585-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3585
Issue date: 2020-08-31

Topic

This is a security update for JBoss EAP Continuous Delivery 20.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory update red hat important jboss technical preview eap

Relevant Releases Architectures

Bugs Fixed

1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter

1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM

1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser

1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720

1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain

1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header

1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371

1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution

1816216 - CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes

1824301 - CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack

1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication

1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size

1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here