Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Red Hat EAP XP2 Advisory RHSA-2022-0146-03: Moderate DoS Issues

red hat
Calendar Grey January 17, 2022
Dist Redhat Esm H88
Intermediate security notification for EAP XP2 tackling vulnerabilities in EAP 7.3.x framework, necessitating no alterations in the source code.
This advisory resolves CVE issues filed against XP2 releases that have been fixed in the underlying EAP 7.3.x base

Solution

This advisory is informational only. There are no code changes associated with it. No action is required.

Summary

These are CVE issues filed against XP2 releases that have been fixed in the underlying EAP 7.3.x base. There are no changes to the EAP XP2 code base.
Security Fix(es):
* undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)
* wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)
* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users (CVE-2021-3717)
* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)
* xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)
* resteasy: Error message exposes endpoint class information (CVE-2021-20289)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat moderate severity Denial of Service risk mitigation CVE issue EAP XP2

References

https://access.redhat.com/security/cve/CVE-2021-3629 https://access.redhat.com/security/cve/CVE-2021-3642 https://access.redhat.com/security/cve/CVE-2021-3717 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-37714 https://access.redhat.com/security/cve/CVE-2021-40690 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/articles/5975301

Package List


Advisory ID: RHSA-2022:0146-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0146
Issue date: 2022-01-17

Topic

This advisory resolves CVE issues filed against XP2 releases that have beenfixed in the underlying EAP 7.3.x base. There are no changes to the EAP XP2code base.NOTE: This advisory is informational only. There are no code changesassociated with it. No action is required.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory Red Hat moderate severity Denial of Service risk mitigation CVE issue EAP XP2

Relevant Releases Architectures

Bugs Fixed

1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information

1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS

1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer

1991305 - CVE-2021-3717 wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users1995259 - CVE-2021-37714 jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck

2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure

5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):

JBEAP-22652 - XP 2.0.0 respin (2.0.0-7.3.10.GA)

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here