-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 8
Advisory ID:       RHSA-2021:3658-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3658
Issue date:        2021-09-23
CVE Names:         CVE-2020-13936 CVE-2021-3536 CVE-2021-3597 
                   CVE-2021-3642 CVE-2021-3644 CVE-2021-3690 
                   CVE-2021-21295 CVE-2021-21409 CVE-2021-28170 
                   CVE-2021-29425 
====================================================================
1. Summary:

A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.4 for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 7.4 for RHEL 8 - noarch

3. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.4.1 Release Notes for information about the most
significant bug fixes and enhancements included in this release.

Security Fix(es):

* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)

* undertow: buffer leak on incoming websocket PONG message may lead to DoS
(CVE-2021-3690)

* undertow: HTTP2SourceChannel fails to write final frame under some
circumstances may lead to DoS (CVE-2021-3597)

* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

* netty: possible request smuggling in HTTP/2 due missing validation
(CVE-2021-21295)

* netty: Request smuggling via content-length header (CVE-2021-21409)

* jakarta-el: ELParserTokenManager enables invalid EL expressions to be
evaluate (CVE-2021-28170)

* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
(CVE-2021-29425)

* wildfly: XSS via admin console when creating roles in domain mode
(CVE-2021-3536)

* wildfly-core: Invalid Sensitivity Classification of Vault Expression
(CVE-2021-3644)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

For details about how to apply this update, see:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
1944888 - CVE-2021-21409 netty: Request smuggling via content-length header
1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode
1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate
1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression
1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer
1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS

6. JIRA issues fixed (https://issues.redhat.com/):

JBEAP-18402 - Tracker bug for the EAP 7.4.1 release for RHEL-8
JBEAP-21231 - (7.4.x) Upgrade jgroups-kubernetes to 1.0.16.Final
JBEAP-21257 - (7.4.z) Upgrade Infinispan from 11.0.9.Final to 11.0.11.Final
JBEAP-21258 - (7.4.z) ISPN-12807 - Simple cache does not update eviction statistics
JBEAP-21261 - (7.4.z) Upgrade to wildfly-http-client to 1.1.7.Final
JBEAP-21263 - [GSS](7.4.z) Upgrade yasson from 1.0.5 to 1.0.9
JBEAP-21270 - [GSS] (7.4.z) Upgrade undertow from 2.2.5.Final to 2.2.8.SP1
JBEAP-21276 - [GSS](7.4.z) Non Transactional Cache needs to be invalidated after commit on JPQL update/delete operation
JBEAP-21277 - [GSS](7.4.z) Upgrade Hibernate ORM from 5.3.20.Final-redhat-00001 to 5.3.20.SP1-redhat-00001
JBEAP-21281 - (7.4.z) Upgrade xalan from 2.7.1.redhat-12 to 2.7.1.redhat-13
JBEAP-21300 - (7.4.x) Upgrade velocity from 2.2.0.redhat-00001 to 2.3.0.redhat-00001
JBEAP-21309 - (7.4.z) Upgrade artemis-wildfly-integration from 1.0.2 to 1.0.4
JBEAP-21313 - [GSS](7.4.z) Upgrade Ironjacamar from 1.4.27.Final to 1.4.33.Final
JBEAP-21472 - (7.4.z) Upgrade Elytron from 1.15.3.Final-redhat-00001 to 1.15.5.Final-redhat-00001
JBEAP-21569 - [GSS](7.4.z) Upgrade HAL from 3.3.2.Final-redhat-00001 to 3.3.7.Final-redhat-00001
JBEAP-21777 - (7.4.z) Upgrade jberet from 1.3.7.Final-redhat-00001 to 1.3.8.Final-redhat-00001
JBEAP-21781 - [GSS](7.4.z) WFCORE-5185 - Update ProviderDefinition to use optimised service loading API
JBEAP-21818 - (7.4.z) Upgrade elytron-web from 1.6.2.Final-redhat-00001 to 1.9.1.Final
JBEAP-21961 - (7.4.z) Upgrade remoting from 5.0.20.SP1-redhat-00001 to 5.0.23.Final-redhat-00001
JBEAP-21978 - (7.4.z) Upgrade WildFly Core from 15.0.2.Final-redhat-00001 to 15.0.3.Final-redhat-00001
JBEAP-22009 - [GSS](7.4.z) HAL-1753 - The Locations table is not updated after changing the profile in breadcrumb navigation
JBEAP-22084 - [GSS](7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00007 to 5.0.3.Final-redhat-00008
JBEAP-22088 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.13.Final-redhat-00001 to 1.1.14.Final-redhat-00001
JBEAP-22160 - (7.4.z) Upgrade jakarta.el from 3.0.3.redhat-00002 to 3.0.3.redhat-00006
JBEAP-22209 - (7.4.z) Upgrade commons-io from 2.5 to 2.10.0
JBEAP-22318 - (7.4.z) Upgrade WildFly Core from 15.0.3.Final-redhat-00001 to 15.0.4.Final-redhat-00001
JBEAP-22319 - (7.4.z) Upgrade undertow from 2.2.9.Final-redhat-00001 to 2.2.9.SP1-redhat-00001

7. Package List:

Red Hat JBoss EAP 7.4 for RHEL 8:

Source:
eap7-apache-commons-io-2.10.0-1.redhat_00001.1.el8eap.src.rpm
eap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.src.rpm
eap7-elytron-web-1.9.1-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-hal-console-3.3.7-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-hibernate-5.3.21-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-infinispan-11.0.12-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-ironjacamar-1.4.35-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jakarta-el-3.0.3-2.redhat_00006.1.el8eap.src.rpm
eap7-jberet-1.3.9-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-remoting-5.0.23-2.SP1_redhat_00001.1.el8eap.src.rpm
eap7-jboss-server-migration-1.10.0-8.Final_redhat_00009.1.el8eap.src.rpm
eap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-netty-4.1.63-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-picketbox-5.0.3-9.Final_redhat_00008.1.el8eap.src.rpm
eap7-undertow-2.2.9-2.SP1_redhat_00001.1.el8eap.src.rpm
eap7-velocity-2.3.0-1.redhat_00001.1.el8eap.src.rpm
eap7-wildfly-7.4.1-2.GA_redhat_00003.1.el8eap.src.rpm
eap7-wildfly-elytron-1.15.5-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-http-client-1.1.8-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-transaction-client-1.1.14-2.Final_redhat_00001.1.el8eap.src.rpm
eap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.src.rpm
eap7-yasson-1.0.9-1.redhat_00001.1.el8eap.src.rpm

noarch:
eap7-apache-commons-io-2.10.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.noarch.rpm
eap7-hal-console-3.3.7-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-core-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-entitymanager-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-envers-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-hibernate-java8-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-cachestore-jdbc-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-cachestore-remote-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-client-hotrod-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-commons-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-component-annotations-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-core-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-hibernate-cache-commons-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-hibernate-cache-spi-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-infinispan-hibernate-cache-v53-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-common-api-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-common-impl-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-common-spi-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-core-api-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-core-impl-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-deployers-common-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-jdbc-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-validator-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jakarta-el-3.0.3-2.redhat_00006.1.el8eap.noarch.rpm
eap7-jberet-1.3.9-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jberet-core-1.3.9-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-remoting-5.0.23-2.SP1_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-server-migration-1.10.0-8.Final_redhat_00009.1.el8eap.noarch.rpm
eap7-jboss-server-migration-cli-1.10.0-8.Final_redhat_00009.1.el8eap.noarch.rpm
eap7-jboss-server-migration-core-1.10.0-8.Final_redhat_00009.1.el8eap.noarch.rpm
eap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-netty-4.1.63-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-netty-all-4.1.63-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-picketbox-5.0.3-9.Final_redhat_00008.1.el8eap.noarch.rpm
eap7-picketbox-infinispan-5.0.3-9.Final_redhat_00008.1.el8eap.noarch.rpm
eap7-undertow-2.2.9-2.SP1_redhat_00001.1.el8eap.noarch.rpm
eap7-undertow-server-1.9.1-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-velocity-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-velocity-engine-core-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-7.4.1-2.GA_redhat_00003.1.el8eap.noarch.rpm
eap7-wildfly-elytron-1.15.5-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-elytron-tool-1.15.5-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-client-common-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-ejb-client-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-naming-client-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-transaction-client-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-javadocs-7.4.1-2.GA_redhat_00003.1.el8eap.noarch.rpm
eap7-wildfly-modules-7.4.1-2.GA_redhat_00003.1.el8eap.noarch.rpm
eap7-wildfly-transaction-client-1.1.14-2.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.noarch.rpm
eap7-yasson-1.0.9-1.redhat_00001.1.el8eap.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2020-13936
https://access.redhat.com/security/cve/CVE-2021-3536
https://access.redhat.com/security/cve/CVE-2021-3597
https://access.redhat.com/security/cve/CVE-2021-3642
https://access.redhat.com/security/cve/CVE-2021-3644
https://access.redhat.com/security/cve/CVE-2021-3690
https://access.redhat.com/security/cve/CVE-2021-21295
https://access.redhat.com/security/cve/CVE-2021-21409
https://access.redhat.com/security/cve/CVE-2021-28170
https://access.redhat.com/security/cve/CVE-2021-29425
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

9. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYUyqm9zjgjWX9erEAQjH1g/+Ppuz7krcdea4827pGXsIGzieQDvw4h/u
j85t5i0/k9UKm5I4RLNBlxABURGjNVgl3ITDLU0HCBPYW0Y1unquUe6ybXxyp55H
fQ88nUVhuVS1KA8u1+JLnyI07k8he5wkyqyDa72Z+ULpXDjua7PfK+jI3RQkAp8B
yqeP+gyMLq5lb4bFaSQV7+xfAAsjtB9B2tSwZTYioKxVwmGs6qOLFEZSgJrm1FyL
lDhra9IcEmjnWj7QfAElELH1KdnguWf1l6fxOss/u/0IU4Kb9/it63w/KKiH7eKl
TYLeMP+z03Yv9FP6LQwuGpJZL24F0g0ZEY8pG23b4/doNrvJhA/b8vdwE4xdS0VO
Wht0PLdIMWXmf7JdwaSWHYiZrYBV42E+Ac6o5//q06B4lbg/NsW5g2cRvLT8BF4v
MrS59t866xhWLCPaexTWuaugdaXq0lJy23NkWFPaYf3S3i4lYAoxfVy2BH9TAXQ7
qoCZpXQi5680yzxBMC4Db91AakVMK6EijTiwm0XSqFjSYZ2fjo3PZX3vHTxw5rYo
uNXHSVMfc4+7NfBcE2TS122i3/Achy8W6yk9Rq8EEI0yldQP47CKY6EC/r0HDJ2/
coK/yHG63//e2rJiZS6bfV8W9QP1REkZTBrBbZjjidGXKFYqXjUKbTrnGxhuV1yZ
5957NNRhLbY=LINr
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-3658:01 Important: Red Hat JBoss Enterprise Application

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8

Summary

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)
* undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)
* undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS (CVE-2021-3597)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)
* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
* wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)
* wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, ensure all previously released errata relevant to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-13936 https://access.redhat.com/security/cve/CVE-2021-3536 https://access.redhat.com/security/cve/CVE-2021-3597 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3644 https://access.redhat.com/security/cve/CVE-2021-3690 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/cve/CVE-2021-28170 https://access.redhat.com/security/cve/CVE-2021-29425 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

Package List

Red Hat JBoss EAP 7.4 for RHEL 8:
Source: eap7-apache-commons-io-2.10.0-1.redhat_00001.1.el8eap.src.rpm eap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.src.rpm eap7-elytron-web-1.9.1-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hal-console-3.3.7-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.21-1.Final_redhat_00001.1.el8eap.src.rpm eap7-infinispan-11.0.12-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ironjacamar-1.4.35-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jakarta-el-3.0.3-2.redhat_00006.1.el8eap.src.rpm eap7-jberet-1.3.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-remoting-5.0.23-2.SP1_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.10.0-8.Final_redhat_00009.1.el8eap.src.rpm eap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.src.rpm eap7-netty-4.1.63-1.Final_redhat_00001.1.el8eap.src.rpm eap7-picketbox-5.0.3-9.Final_redhat_00008.1.el8eap.src.rpm eap7-undertow-2.2.9-2.SP1_redhat_00001.1.el8eap.src.rpm eap7-velocity-2.3.0-1.redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.4.1-2.GA_redhat_00003.1.el8eap.src.rpm eap7-wildfly-elytron-1.15.5-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-http-client-1.1.8-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-transaction-client-1.1.14-2.Final_redhat_00001.1.el8eap.src.rpm eap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.src.rpm eap7-yasson-1.0.9-1.redhat_00001.1.el8eap.src.rpm
noarch: eap7-apache-commons-io-2.10.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-artemis-wildfly-integration-1.0.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-hal-console-3.3.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.21-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-component-annotations-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-11.0.12-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-api-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-api-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-validator-1.4.35-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jakarta-el-3.0.3-2.redhat_00006.1.el8eap.noarch.rpm eap7-jberet-1.3.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jberet-core-1.3.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-remoting-5.0.23-2.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.10.0-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.10.0-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.10.0-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jgroups-kubernetes-1.0.16-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-netty-4.1.63-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-netty-all-4.1.63-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-picketbox-5.0.3-9.Final_redhat_00008.1.el8eap.noarch.rpm eap7-picketbox-infinispan-5.0.3-9.Final_redhat_00008.1.el8eap.noarch.rpm eap7-undertow-2.2.9-2.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-server-1.9.1-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-velocity-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-velocity-engine-core-2.3.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.4.1-2.GA_redhat_00003.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.15.5-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.15.5-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-client-common-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-ejb-client-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-naming-client-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-transaction-client-1.1.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.4.1-2.GA_redhat_00003.1.el8eap.noarch.rpm eap7-wildfly-modules-7.4.1-2.GA_redhat_00003.1.el8eap.noarch.rpm eap7-wildfly-transaction-client-1.1.14-2.Final_redhat_00001.1.el8eap.noarch.rpm eap7-xalan-j2-2.7.1-36.redhat_00013.1.el8eap.noarch.rpm eap7-yasson-1.0.9-1.redhat_00001.1.el8eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2021:3658-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3658
Issued Date: : 2021-09-23
CVE Names: CVE-2020-13936 CVE-2021-3536 CVE-2021-3597 CVE-2021-3642 CVE-2021-3644 CVE-2021-3690 CVE-2021-21295 CVE-2021-21409 CVE-2021-28170 CVE-2021-29425

Topic

A security update is now available for Red Hat JBoss Enterprise ApplicationPlatform 7.4 for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat JBoss EAP 7.4 for RHEL 8 - noarch


Bugs Fixed

1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation

1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates

1944888 - CVE-2021-21409 netty: Request smuggling via content-length header

1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode

1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6

1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate

1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS

1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression

1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer

1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS

6. JIRA issues fixed (https://issues.redhat.com/):

JBEAP-18402 - Tracker bug for the EAP 7.4.1 release for RHEL-8

JBEAP-21231 - (7.4.x) Upgrade jgroups-kubernetes to 1.0.16.Final

JBEAP-21257 - (7.4.z) Upgrade Infinispan from 11.0.9.Final to 11.0.11.Final

JBEAP-21258 - (7.4.z) ISPN-12807 - Simple cache does not update eviction statistics

JBEAP-21261 - (7.4.z) Upgrade to wildfly-http-client to 1.1.7.Final

JBEAP-21263 - [GSS](7.4.z) Upgrade yasson from 1.0.5 to 1.0.9

JBEAP-21270 - [GSS] (7.4.z) Upgrade undertow from 2.2.5.Final to 2.2.8.SP1

JBEAP-21276 - [GSS](7.4.z) Non Transactional Cache needs to be invalidated after commit on JPQL update/delete operation

JBEAP-21277 - [GSS](7.4.z) Upgrade Hibernate ORM from 5.3.20.Final-redhat-00001 to 5.3.20.SP1-redhat-00001

JBEAP-21281 - (7.4.z) Upgrade xalan from 2.7.1.redhat-12 to 2.7.1.redhat-13

JBEAP-21300 - (7.4.x) Upgrade velocity from 2.2.0.redhat-00001 to 2.3.0.redhat-00001

JBEAP-21309 - (7.4.z) Upgrade artemis-wildfly-integration from 1.0.2 to 1.0.4

JBEAP-21313 - [GSS](7.4.z) Upgrade Ironjacamar from 1.4.27.Final to 1.4.33.Final

JBEAP-21472 - (7.4.z) Upgrade Elytron from 1.15.3.Final-redhat-00001 to 1.15.5.Final-redhat-00001

JBEAP-21569 - [GSS](7.4.z) Upgrade HAL from 3.3.2.Final-redhat-00001 to 3.3.7.Final-redhat-00001

JBEAP-21777 - (7.4.z) Upgrade jberet from 1.3.7.Final-redhat-00001 to 1.3.8.Final-redhat-00001

JBEAP-21781 - [GSS](7.4.z) WFCORE-5185 - Update ProviderDefinition to use optimised service loading API

JBEAP-21818 - (7.4.z) Upgrade elytron-web from 1.6.2.Final-redhat-00001 to 1.9.1.Final

JBEAP-21961 - (7.4.z) Upgrade remoting from 5.0.20.SP1-redhat-00001 to 5.0.23.Final-redhat-00001

JBEAP-21978 - (7.4.z) Upgrade WildFly Core from 15.0.2.Final-redhat-00001 to 15.0.3.Final-redhat-00001

JBEAP-22009 - [GSS](7.4.z) HAL-1753 - The Locations table is not updated after changing the profile in breadcrumb navigation

JBEAP-22084 - [GSS](7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00007 to 5.0.3.Final-redhat-00008

JBEAP-22088 - (7.4.z) Upgrade wildfly-transaction-client from 1.1.13.Final-redhat-00001 to 1.1.14.Final-redhat-00001

JBEAP-22160 - (7.4.z) Upgrade jakarta.el from 3.0.3.redhat-00002 to 3.0.3.redhat-00006

JBEAP-22209 - (7.4.z) Upgrade commons-io from 2.5 to 2.10.0

JBEAP-22318 - (7.4.z) Upgrade WildFly Core from 15.0.3.Final-redhat-00001 to 15.0.4.Final-redhat-00001

JBEAP-22319 - (7.4.z) Upgrade undertow from 2.2.9.Final-redhat-00001 to 2.2.9.SP1-redhat-00001


Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved