RedHat: RHSA-2022-8840:01 Moderate: Red Hat JBoss Core Services Apa...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP1 security update
Advisory ID:       RHSA-2022:8840-01
Product:           Red Hat JBoss Core Services
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8840
Issue date:        2022-12-08
CVE Names:         CVE-2022-1292 CVE-2022-2068 CVE-2022-22721 
                   CVE-2022-23943 CVE-2022-26377 CVE-2022-28330 
                   CVE-2022-28614 CVE-2022-28615 CVE-2022-30522 
                   CVE-2022-31813 CVE-2022-32206 CVE-2022-32207 
                   CVE-2022-32208 CVE-2022-32221 CVE-2022-35252 
                   CVE-2022-42915 CVE-2022-42916 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Core Services.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Core Services on RHEL 7 Server - noarch, x86_64
Red Hat JBoss Core Services on RHEL 8 - noarch, x86_64

3. Description:

Red Hat JBoss Core Services is a set of supplementary software for Red Hat
JBoss middleware products. This software, such as Apache HTTP Server, is
common to multiple JBoss middleware products, and is packaged under Red Hat
JBoss Core Services to allow for faster distribution of updates, and for a
more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51
Service Pack 1 serves as a replacement for Red Hat JBoss Core Services
Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* curl: HSTS bypass via IDN (CVE-2022-42916)

* curl: HTTP proxy double-free (CVE-2022-42915)

* curl: POST following PUT confusion (CVE-2022-32221)

* httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism
(CVE-2022-31813)

* httpd: mod_sed: DoS vulnerability (CVE-2022-30522)

* httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)

* httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614)

* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)

* curl: control code in cookie denial of service (CVE-2022-35252)

* jbcs-httpd24-httpd: httpd: mod_isapi: out-of-bounds read (CVE-2022-28330)

* curl: Unpreserved file permissions (CVE-2022-32207)

* curl: various flaws (CVE-2022-32206 CVE-2022-32208)

* openssl: the c_rehash script allows command injection (CVE-2022-2068)

* openssl: c_rehash script allows command injection (CVE-2022-1292)

* jbcs-httpd24-httpd: httpd: core: Possible buffer overflow with very large
or unlimited LimitXMLRequestBody (CVE-2022-22721)

* jbcs-httpd24-httpd: httpd: mod_sed: Read/write beyond bounds
(CVE-2022-23943)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

Applications using the APR libraries, such as httpd, must be restarted for
this update to take effect. After installing the updated packages, the
httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds
2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody
2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection
2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling
2095000 - CVE-2022-28330 httpd: mod_isapi: out-of-bounds read
2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite()
2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match()
2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability
2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism
2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection
2099300 - CVE-2022-32206 curl: HTTP compression denial of service
2099305 - CVE-2022-32207 curl: Unpreserved file permissions
2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification
2120718 - CVE-2022-35252 curl: control code in cookie denial of service
2135411 - CVE-2022-32221 curl: POST following PUT confusion
2135413 - CVE-2022-42915 curl: HTTP proxy double-free
2135416 - CVE-2022-42916 curl: HSTS bypass via IDN

6. Package List:

Red Hat JBoss Core Services on RHEL 7 Server:

Source:
jbcs-httpd24-apr-util-1.6.1-99.el7jbcs.src.rpm
jbcs-httpd24-curl-7.86.0-2.el7jbcs.src.rpm
jbcs-httpd24-httpd-2.4.51-37.el7jbcs.src.rpm
jbcs-httpd24-mod_http2-1.15.19-20.el7jbcs.src.rpm
jbcs-httpd24-mod_jk-1.2.48-44.redhat_1.el7jbcs.src.rpm
jbcs-httpd24-mod_md-2.4.0-18.el7jbcs.src.rpm
jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el7jbcs.src.rpm
jbcs-httpd24-mod_security-2.9.3-22.el7jbcs.src.rpm
jbcs-httpd24-nghttp2-1.43.0-11.el7jbcs.src.rpm
jbcs-httpd24-openssl-1.1.1k-13.el7jbcs.src.rpm
jbcs-httpd24-openssl-chil-1.0.0-17.el7jbcs.src.rpm
jbcs-httpd24-openssl-pkcs11-0.4.10-32.el7jbcs.src.rpm

noarch:
jbcs-httpd24-httpd-manual-2.4.51-37.el7jbcs.noarch.rpm

x86_64:
jbcs-httpd24-apr-util-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-debuginfo-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-devel-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-ldap-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-mysql-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-nss-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-odbc-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-openssl-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-pgsql-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-apr-util-sqlite-1.6.1-99.el7jbcs.x86_64.rpm
jbcs-httpd24-curl-7.86.0-2.el7jbcs.x86_64.rpm
jbcs-httpd24-curl-debuginfo-7.86.0-2.el7jbcs.x86_64.rpm
jbcs-httpd24-httpd-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-httpd-debuginfo-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-httpd-devel-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-httpd-selinux-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-httpd-tools-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-libcurl-7.86.0-2.el7jbcs.x86_64.rpm
jbcs-httpd24-libcurl-devel-7.86.0-2.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_http2-1.15.19-20.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_http2-debuginfo-1.15.19-20.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_jk-ap24-1.2.48-44.redhat_1.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_jk-debuginfo-1.2.48-44.redhat_1.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_ldap-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_md-2.4.0-18.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_md-debuginfo-2.4.0-18.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-13.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_html-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_security-2.9.3-22.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_security-debuginfo-2.9.3-22.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_session-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-mod_ssl-2.4.51-37.el7jbcs.x86_64.rpm
jbcs-httpd24-nghttp2-1.43.0-11.el7jbcs.x86_64.rpm
jbcs-httpd24-nghttp2-debuginfo-1.43.0-11.el7jbcs.x86_64.rpm
jbcs-httpd24-nghttp2-devel-1.43.0-11.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-1.1.1k-13.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-chil-1.0.0-17.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-chil-debuginfo-1.0.0-17.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-debuginfo-1.1.1k-13.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-devel-1.1.1k-13.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-libs-1.1.1k-13.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-perl-1.1.1k-13.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-pkcs11-0.4.10-32.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-32.el7jbcs.x86_64.rpm
jbcs-httpd24-openssl-static-1.1.1k-13.el7jbcs.x86_64.rpm

Red Hat JBoss Core Services on RHEL 8:

Source:
jbcs-httpd24-apr-util-1.6.1-99.el8jbcs.src.rpm
jbcs-httpd24-curl-7.86.0-2.el8jbcs.src.rpm
jbcs-httpd24-httpd-2.4.51-37.el8jbcs.src.rpm
jbcs-httpd24-mod_http2-1.15.19-20.el8jbcs.src.rpm
jbcs-httpd24-mod_jk-1.2.48-44.redhat_1.el8jbcs.src.rpm
jbcs-httpd24-mod_md-2.4.0-18.el8jbcs.src.rpm
jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el8jbcs.src.rpm
jbcs-httpd24-mod_security-2.9.3-22.el8jbcs.src.rpm
jbcs-httpd24-nghttp2-1.43.0-11.el8jbcs.src.rpm
jbcs-httpd24-openssl-1.1.1k-13.el8jbcs.src.rpm
jbcs-httpd24-openssl-chil-1.0.0-17.el8jbcs.src.rpm
jbcs-httpd24-openssl-pkcs11-0.4.10-32.el8jbcs.src.rpm

noarch:
jbcs-httpd24-httpd-manual-2.4.51-37.el8jbcs.noarch.rpm

x86_64:
jbcs-httpd24-apr-util-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-devel-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-ldap-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-ldap-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-mysql-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-mysql-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-nss-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-nss-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-odbc-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-odbc-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-openssl-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-openssl-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-pgsql-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-pgsql-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-sqlite-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-apr-util-sqlite-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm
jbcs-httpd24-curl-7.86.0-2.el8jbcs.x86_64.rpm
jbcs-httpd24-curl-debuginfo-7.86.0-2.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-devel-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-selinux-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-tools-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-httpd-tools-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-libcurl-7.86.0-2.el8jbcs.x86_64.rpm
jbcs-httpd24-libcurl-debuginfo-7.86.0-2.el8jbcs.x86_64.rpm
jbcs-httpd24-libcurl-devel-7.86.0-2.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_http2-1.15.19-20.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_http2-debuginfo-1.15.19-20.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_jk-ap24-1.2.48-44.redhat_1.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_jk-ap24-debuginfo-1.2.48-44.redhat_1.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ldap-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ldap-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_md-2.4.0-18.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_md-debuginfo-2.4.0-18.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-13.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_html-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_proxy_html-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_security-2.9.3-22.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_security-debuginfo-2.9.3-22.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_session-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_session-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ssl-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-mod_ssl-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm
jbcs-httpd24-nghttp2-1.43.0-11.el8jbcs.x86_64.rpm
jbcs-httpd24-nghttp2-debuginfo-1.43.0-11.el8jbcs.x86_64.rpm
jbcs-httpd24-nghttp2-devel-1.43.0-11.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-1.1.1k-13.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-chil-1.0.0-17.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-chil-debuginfo-1.0.0-17.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-debuginfo-1.1.1k-13.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-devel-1.1.1k-13.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-libs-1.1.1k-13.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-libs-debuginfo-1.1.1k-13.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-perl-1.1.1k-13.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-pkcs11-0.4.10-32.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-32.el8jbcs.x86_64.rpm
jbcs-httpd24-openssl-static-1.1.1k-13.el8jbcs.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1292
https://access.redhat.com/security/cve/CVE-2022-2068
https://access.redhat.com/security/cve/CVE-2022-22721
https://access.redhat.com/security/cve/CVE-2022-23943
https://access.redhat.com/security/cve/CVE-2022-26377
https://access.redhat.com/security/cve/CVE-2022-28330
https://access.redhat.com/security/cve/CVE-2022-28614
https://access.redhat.com/security/cve/CVE-2022-28615
https://access.redhat.com/security/cve/CVE-2022-30522
https://access.redhat.com/security/cve/CVE-2022-31813
https://access.redhat.com/security/cve/CVE-2022-32206
https://access.redhat.com/security/cve/CVE-2022-32207
https://access.redhat.com/security/cve/CVE-2022-32208
https://access.redhat.com/security/cve/CVE-2022-32221
https://access.redhat.com/security/cve/CVE-2022-35252
https://access.redhat.com/security/cve/CVE-2022-42915
https://access.redhat.com/security/cve/CVE-2022-42916
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY5ISE9zjgjWX9erEAQixuA//dX5Q3wtu2MRvrjD/sK/r6dqBz4fWWhS9
ws2A8cRa5ki3RlCaYQ3pP7LkRtIdankAP3HG1NU4er/odsMEW5aEgku+5foV7w4M
WEd0USLKs3Pw5a7/3TjOBUf5CA7oet03C7/u9idWaLD/ip4UMhskSnz33qFQSFZf
FAWNdsRhH8+ql6qFMg9Odv5RFX3i2+wBy5pC69Akr2FBEt9j+/PbvSPWuPD26n6H
0l+QUKrI3OW1EHzz+S/8aEfTFKLluXfhVJn61wdA8Kjs4ZKrnBz8czJjxn4hOi7a
z0tpzg5d1BJEf/UB7EdyyLBGRIliWhf978qtG8QS37GEgnQSof2xgcfu1NGiHl9j
ypCqX1R4oOkeoISynnZUKWZ1uFp5GkMiRtPu0Bw7WYB6z/8OWZce4yIqh1rcG09d
NcyleabDtpJ7C3BJQzpnhXAWjri7oJ6wHBvcbQ9sLj2xkQRX2Zpi0KJGIH8iLwdn
Ik+RIZ7u/mXeW3ulcwiQTPYbTQLWGXqgZV1qxJq91HIcu+y3STQwZjb4fZuqjH5M
onO/rF2y50l9LqArg/v9KAJUbHSKMDP6r7Dx02J+iKjW3g7NczoImrU7JcyAgce9
mCN7gMmU9bQx1tagIKcKKW5IVN/jHyWKJW/t0teoaECsa2LMgoEIt+6RcmQXWpdF
6t6oQh+b3NY=
=UGfz
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-8840:01 Moderate: Red Hat JBoss Core Services Apache HTTP

An update is now available for Red Hat JBoss Core Services

Summary

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* curl: HSTS bypass via IDN (CVE-2022-42916)
* curl: HTTP proxy double-free (CVE-2022-42915)
* curl: POST following PUT confusion (CVE-2022-32221)
* httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
* httpd: mod_sed: DoS vulnerability (CVE-2022-30522)
* httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)
* httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614)
* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
* curl: control code in cookie denial of service (CVE-2022-35252)
* jbcs-httpd24-httpd: httpd: mod_isapi: out-of-bounds read (CVE-2022-28330)
* curl: Unpreserved file permissions (CVE-2022-32207)
* curl: various flaws (CVE-2022-32206 CVE-2022-32208)
* openssl: the c_rehash script allows command injection (CVE-2022-2068)
* openssl: c_rehash script allows command injection (CVE-2022-1292)
* jbcs-httpd24-httpd: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721)
* jbcs-httpd24-httpd: httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258Applications using the APR libraries, such as httpd, must be restarted forthis update to take effect. After installing the updated packages, thehttpd daemon will be restarted automatically.

References

https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-22721 https://access.redhat.com/security/cve/CVE-2022-23943 https://access.redhat.com/security/cve/CVE-2022-26377 https://access.redhat.com/security/cve/CVE-2022-28330 https://access.redhat.com/security/cve/CVE-2022-28614 https://access.redhat.com/security/cve/CVE-2022-28615 https://access.redhat.com/security/cve/CVE-2022-30522 https://access.redhat.com/security/cve/CVE-2022-31813 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32207 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/cve/CVE-2022-32221 https://access.redhat.com/security/cve/CVE-2022-35252 https://access.redhat.com/security/cve/CVE-2022-42915 https://access.redhat.com/security/cve/CVE-2022-42916 https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat JBoss Core Services on RHEL 7 Server:
Source: jbcs-httpd24-apr-util-1.6.1-99.el7jbcs.src.rpm jbcs-httpd24-curl-7.86.0-2.el7jbcs.src.rpm jbcs-httpd24-httpd-2.4.51-37.el7jbcs.src.rpm jbcs-httpd24-mod_http2-1.15.19-20.el7jbcs.src.rpm jbcs-httpd24-mod_jk-1.2.48-44.redhat_1.el7jbcs.src.rpm jbcs-httpd24-mod_md-2.4.0-18.el7jbcs.src.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el7jbcs.src.rpm jbcs-httpd24-mod_security-2.9.3-22.el7jbcs.src.rpm jbcs-httpd24-nghttp2-1.43.0-11.el7jbcs.src.rpm jbcs-httpd24-openssl-1.1.1k-13.el7jbcs.src.rpm jbcs-httpd24-openssl-chil-1.0.0-17.el7jbcs.src.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-32.el7jbcs.src.rpm
noarch: jbcs-httpd24-httpd-manual-2.4.51-37.el7jbcs.noarch.rpm
x86_64: jbcs-httpd24-apr-util-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-devel-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-nss-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-99.el7jbcs.x86_64.rpm jbcs-httpd24-curl-7.86.0-2.el7jbcs.x86_64.rpm jbcs-httpd24-curl-debuginfo-7.86.0-2.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-libcurl-7.86.0-2.el7jbcs.x86_64.rpm jbcs-httpd24-libcurl-devel-7.86.0-2.el7jbcs.x86_64.rpm jbcs-httpd24-mod_http2-1.15.19-20.el7jbcs.x86_64.rpm jbcs-httpd24-mod_http2-debuginfo-1.15.19-20.el7jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.48-44.redhat_1.el7jbcs.x86_64.rpm jbcs-httpd24-mod_jk-debuginfo-1.2.48-44.redhat_1.el7jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-mod_md-2.4.0-18.el7jbcs.x86_64.rpm jbcs-httpd24-mod_md-debuginfo-2.4.0-18.el7jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el7jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-13.el7jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-mod_security-2.9.3-22.el7jbcs.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.3-22.el7jbcs.x86_64.rpm jbcs-httpd24-mod_session-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.51-37.el7jbcs.x86_64.rpm jbcs-httpd24-nghttp2-1.43.0-11.el7jbcs.x86_64.rpm jbcs-httpd24-nghttp2-debuginfo-1.43.0-11.el7jbcs.x86_64.rpm jbcs-httpd24-nghttp2-devel-1.43.0-11.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-1.1.1k-13.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-1.0.0-17.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-debuginfo-1.0.0-17.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.1.1k-13.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-devel-1.1.1k-13.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-libs-1.1.1k-13.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-perl-1.1.1k-13.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-32.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-32.el7jbcs.x86_64.rpm jbcs-httpd24-openssl-static-1.1.1k-13.el7jbcs.x86_64.rpm
Red Hat JBoss Core Services on RHEL 8:
Source: jbcs-httpd24-apr-util-1.6.1-99.el8jbcs.src.rpm jbcs-httpd24-curl-7.86.0-2.el8jbcs.src.rpm jbcs-httpd24-httpd-2.4.51-37.el8jbcs.src.rpm jbcs-httpd24-mod_http2-1.15.19-20.el8jbcs.src.rpm jbcs-httpd24-mod_jk-1.2.48-44.redhat_1.el8jbcs.src.rpm jbcs-httpd24-mod_md-2.4.0-18.el8jbcs.src.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el8jbcs.src.rpm jbcs-httpd24-mod_security-2.9.3-22.el8jbcs.src.rpm jbcs-httpd24-nghttp2-1.43.0-11.el8jbcs.src.rpm jbcs-httpd24-openssl-1.1.1k-13.el8jbcs.src.rpm jbcs-httpd24-openssl-chil-1.0.0-17.el8jbcs.src.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-32.el8jbcs.src.rpm
noarch: jbcs-httpd24-httpd-manual-2.4.51-37.el8jbcs.noarch.rpm
x86_64: jbcs-httpd24-apr-util-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-devel-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-ldap-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-ldap-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-mysql-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-mysql-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-nss-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-nss-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-odbc-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-odbc-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-openssl-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-openssl-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-pgsql-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-pgsql-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-sqlite-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-apr-util-sqlite-debuginfo-1.6.1-99.el8jbcs.x86_64.rpm jbcs-httpd24-curl-7.86.0-2.el8jbcs.x86_64.rpm jbcs-httpd24-curl-debuginfo-7.86.0-2.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-devel-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-selinux-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-httpd-tools-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-libcurl-7.86.0-2.el8jbcs.x86_64.rpm jbcs-httpd24-libcurl-debuginfo-7.86.0-2.el8jbcs.x86_64.rpm jbcs-httpd24-libcurl-devel-7.86.0-2.el8jbcs.x86_64.rpm jbcs-httpd24-mod_http2-1.15.19-20.el8jbcs.x86_64.rpm jbcs-httpd24-mod_http2-debuginfo-1.15.19-20.el8jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-1.2.48-44.redhat_1.el8jbcs.x86_64.rpm jbcs-httpd24-mod_jk-ap24-debuginfo-1.2.48-44.redhat_1.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ldap-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-mod_md-2.4.0-18.el8jbcs.x86_64.rpm jbcs-httpd24-mod_md-debuginfo-2.4.0-18.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-1.3.17-13.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_cluster-debuginfo-1.3.17-13.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-mod_proxy_html-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-mod_security-2.9.3-22.el8jbcs.x86_64.rpm jbcs-httpd24-mod_security-debuginfo-2.9.3-22.el8jbcs.x86_64.rpm jbcs-httpd24-mod_session-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-mod_session-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-mod_ssl-debuginfo-2.4.51-37.el8jbcs.x86_64.rpm jbcs-httpd24-nghttp2-1.43.0-11.el8jbcs.x86_64.rpm jbcs-httpd24-nghttp2-debuginfo-1.43.0-11.el8jbcs.x86_64.rpm jbcs-httpd24-nghttp2-devel-1.43.0-11.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-1.1.1k-13.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-1.0.0-17.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-chil-debuginfo-1.0.0-17.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-debuginfo-1.1.1k-13.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-devel-1.1.1k-13.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-libs-1.1.1k-13.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-libs-debuginfo-1.1.1k-13.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-perl-1.1.1k-13.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-0.4.10-32.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-pkcs11-debuginfo-0.4.10-32.el8jbcs.x86_64.rpm jbcs-httpd24-openssl-static-1.1.1k-13.el8jbcs.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2022:8840-01
Product: Red Hat JBoss Core Services
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8840
Issued Date: : 2022-12-08
CVE Names: CVE-2022-1292 CVE-2022-2068 CVE-2022-22721 CVE-2022-23943 CVE-2022-26377 CVE-2022-28330 CVE-2022-28614 CVE-2022-28615 CVE-2022-30522 CVE-2022-31813 CVE-2022-32206 CVE-2022-32207 CVE-2022-32208 CVE-2022-32221 CVE-2022-35252 CVE-2022-42915 CVE-2022-42916

Topic

An update is now available for Red Hat JBoss Core Services.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat JBoss Core Services on RHEL 7 Server - noarch, x86_64

Red Hat JBoss Core Services on RHEL 8 - noarch, x86_64

Bugs Fixed

2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds

2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody

2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection

2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling

2095000 - CVE-2022-28330 httpd: mod_isapi: out-of-bounds read

2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite()

2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match()

2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability

2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism

2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection

2099300 - CVE-2022-32206 curl: HTTP compression denial of service

2099305 - CVE-2022-32207 curl: Unpreserved file permissions

2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification

2120718 - CVE-2022-35252 curl: control code in cookie denial of service

2135411 - CVE-2022-32221 curl: POST following PUT confusion

2135413 - CVE-2022-42915 curl: HTTP proxy double-free

2135416 - CVE-2022-42916 curl: HSTS bypass via IDN