Red Hat JBoss EAP 7.3 Security Advisory RHSA-2021:0248-01 Important Fix
red hat
January 25, 2021
An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8
Solution
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
Summary
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.5 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.4,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.3.5 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* wildfly: Potential Memory leak in Wildfly when using OpenTracing
(CVE-2020-27822)
* undertow: special character in query results in server errors(CVE-2020-27782)
* wildfly-core: memory leak in WildFly host-controller in domain mode while
not able to reconnect to domain-controller (CVE-2020-25689)
* httpclient: apache-httpclient: incorrect handling of malformed authority
component in request URIs (CVE-2020-13956)
* wildfly: resource adapter logs plaintext JMS password at warning level on
connection error (CVE-2020-25640)
* resteasy-client: potential sensitive information leakage in JAX-RS
RESTEasy Client's WebApplicationException handling (CVE-2020-25633)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, see the CVE page(s) listed in the
References section.
References
https://access.redhat.com/security/cve/CVE-2020-13956 https://access.redhat.com/security/cve/CVE-2020-25633 https://access.redhat.com/security/cve/CVE-2020-25640 https://access.redhat.com/security/cve/CVE-2020-25689 https://access.redhat.com/security/cve/CVE-2020-27782 https://access.redhat.com/security/cve/CVE-2020-27822 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
Package List
Red Hat JBoss EAP 7.3 for BaseOS-8:
Source:
eap7-activemq-artemis-2.9.0-7.redhat_00017.1.el8eap.src.rpm
eap7-glassfish-jsf-2.3.9-12.SP13_redhat_00001.1.el8eap.src.rpm
eap7-hal-console-3.2.12-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-hibernate-5.3.20-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-httpcomponents-client-4.5.13-1.redhat_00001.1.el8eap.src.rpm
eap7-jboss-ejb-client-4.0.37-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-genericjms-2.0.8-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-modules-1.11.0-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-remoting-5.0.20-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-server-migration-1.7.2-4.Final_redhat_00005.1.el8eap.src.rpm
eap7-jboss-xnio-base-3.7.12-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-narayana-5.9.10-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-opentracing-interceptors-0.0.4.1-2.redhat_00002.1.el8eap.src.rpm
eap7-resteasy-3.11.3-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-undertow-2.0.33-1.SP2_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-7.3.5-2.GA_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-discovery-1.2.1-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-elytron-1.10.10-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-http-client-1.0.24-1.Final_redhat_00001.1.el8eap.src.rpm
noarch:
Read the Full Advisory
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2021:0248-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0248
Issue date: 2021-01-25
Topic
An update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.3 for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch
Bugs Fixed
1879042 - CVE-2020-25633 resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
1881637 - CVE-2020-25640 wildfly: resource adapter logs plaintext JMS password at warning level on connection error
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
1901304 - CVE-2020-27782 undertow: special character in query results in server errors1904060 - CVE-2020-27822 wildfly: Potential Memory leak in Wildfly when using OpenTracing
6. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):
JBEAP-19788 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.22.Final-redhat-00001 to 1.0.24.Final-redhat-00001
JBEAP-19790 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.33.SP1-redhat-00001 to 4.0.37.Final-redhat-00001
JBEAP-19816 - [GSS](7.3.z) UNDERTOW-1745 - Undertow access-log does not work for HTTP/2 POST request on HTTP Upgrade based connection
JBEAP-20240 - (7.3.z) Upgrade Narayana from 5.9.9.Final to 5.9.10.Final
JBEAP-20268 - (7.3.z) Upgrade generic jms from 2.0.6 to 2.0.8
JBEAP-20271 - Tracker bug for the EAP 7.3.5 release for RHEL-8
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!