ESB-2018.2984 - [RedHat] Red Hat JBoss Web Server 5.0: Reduced security - Remote/unauthenticated 2018-10-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2984
          Important: Red Hat JBoss Web Server 5.0 Service Pack 1
                        security and bug fix update
                              4 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Web Server 5.0
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Red Hat Enterprise Linux Server 7
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8037  

Reference:         ESB-2018.2751
                   ESB-2018.2563
                   ESB-2018.2125.2

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2867
   https://access.redhat.com/errata/RHSA-2018:2868

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update
Advisory ID:       RHSA-2018:2867-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2867
Issue date:        2018-10-03
CVE Names:         CVE-2018-8037 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and
Red Hat JBoss Web Server 5.0 for RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.

This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a
replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Information Disclosure (CVE-2018-8037)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1607582 - CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up

5. JIRA issues fixed (https://issues.jboss.org/):

JWS-1028 - Failures in jBPM embedded use case with H2 database
JWS-1064 - Update the Tomcat fork of Commons DBCP 2 to 2.4.0
JWS-1065 - Tomcat Commons Pool Update
JWS-1121 - Update the internal fork of Apache Commons DBCP 2 to abc0484 (2018-08-09) to pick up some bug fixes and enhancements
JWS-1124 - ARJUNA016082: Synchronizations are not allowed! Transaction status isActionStatus.RUNNING when running jBPM engine in KIE server deployed to Tomcat
JWS-996 - Connection leak during XATransaction in high load

6. References:

https://access.redhat.com/security/cve/CVE-2018-8037
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW7THqNzjgjWX9erEAQhgBxAAgwpl1DjA+TIE/cOEgBlQZX4X3E5JrNCg
1dwWdv5Z14a7Nl5F/MdCzQvv0eGdfn41zXV+NN5ZDkPFDfa9bBsgHDop9uxYGZzR
PcBUvm225DvMk6us4EL730Qt75OiAAfDucbmd1p0WNKyEsZtqoMLEsXuU6cCQ3gs
/4PAuFx0G8JUBR9QilIa8RCnJEIqGKDBXk2vAxeAau14/3fku+D/KAKUFZCFUj7E
YtUYk2SC+AJ9cx1nD97SgFVZrcIJ1enEycpZvMLH0PzEFhjhPe36TRZ+eUKhZG6Z
9DdW7muv9hzXYvw0iFNjtkryHDIKgiDGmF6boQTaBlstzunnn9Pke9aWzbeeQUCp
1s6htjj86txJgiK9QROh27JvzokPwHChx3ru4QCHRDz0QVfjjz49fiCh9KMxadmp
mCcfqcgmNwKcMPPgyXYx7SOdlthCH23hVL+H0V7Tm8T6awXc0XtZKA2RtzQspfrJ
HMuu0WZiRx8akBhTk0AnBmMWmHHRIB9JxYpMJ1bOFyd900XiEM4Si/whuy5vDG7v
e5SGoN4Kmz1uq/oPaQexJEOKKBspVFWPqaRUtDR7g34mV67SLWWM6YnMjpexvpO3
v8vYqHQ/nfczdKtmOYGHfTiq7Z7jg/rGwGAy1khYG0w4OjUx3w44t1Ktrwnnm3Oj
eF2NcyN46CA=
=9lKT
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update
Advisory ID:       RHSA-2018:2868-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2868
Issue date:        2018-10-03
CVE Names:         CVE-2018-8037 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and
Red Hat JBoss Web Server 5.0 for RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 5.0 for RHEL 6 Server - noarch
Red Hat JBoss Web Server 5.0 for RHEL 7 Server - noarch

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.

This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a
replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Information Disclosure (CVE-2018-8037)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1607582 - CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up

6. JIRA issues fixed (https://issues.jboss.org/):

JWS-1028 - Failures in jBPM embedded use case with H2 database
JWS-1064 - Update the Tomcat fork of Commons DBCP 2 to 2.4.0
JWS-1065 - Tomcat Commons Pool Update
JWS-1121 - Update the internal fork of Apache Commons DBCP 2 to abc0484 (2018-08-09) to pick up some bug fixes and enhancements
JWS-1124 - ARJUNA016082: Synchronizations are not allowed! Transaction status isActionStatus.RUNNING when running jBPM engine in KIE server deployed to Tomcat
JWS-996 - Connection leak during XATransaction in high load

7. Package List:

Red Hat JBoss Web Server 5.0 for RHEL 6 Server:

Source:
jws5-tomcat-9.0.7-12.redhat_12.1.el6jws.src.rpm

noarch:
jws5-tomcat-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-javadoc-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-jsvc-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-lib-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-selinux-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.7-12.redhat_12.1.el6jws.noarch.rpm
jws5-tomcat-webapps-9.0.7-12.redhat_12.1.el6jws.noarch.rpm

Red Hat JBoss Web Server 5.0 for RHEL 7 Server:

Source:
jws5-tomcat-9.0.7-12.redhat_12.1.el7jws.src.rpm

noarch:
jws5-tomcat-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-javadoc-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-jsvc-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-lib-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-selinux-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.7-12.redhat_12.1.el7jws.noarch.rpm
jws5-tomcat-webapps-9.0.7-12.redhat_12.1.el7jws.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2018-8037
https://access.redhat.com/security/updates/classification/#important

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW7TKBdzjgjWX9erEAQgv2w//b0WmHF7IhiuF2KkEgvgrPRcNbqpacOLc
MHSO0HgNUoR8mdr2Z+UFoCLZhS5kFZW03szLg2kLtLDiiQ+tpyS2vgd8yMnlflk7
IShY06vUuUWUj6IbLm3jJ5X+/rWg0TiOGzyUeMzL3sTHCztYxq0Z0DRH/O9UI5uR
Ys21MeYEk1GbufB54jac1pq9RHUOaPH96012lY9Bb2rUiqviRyPAJHo0VfNnwMT0
xhK2kJQaWr8W5wbpgnoIzROgOj9tblVrOMgKuAHV5baIum4PKj53Q7ENysj4+nda
66ArbSNqA/kBXaCzNp35WVczJwM+G11OGErJPNq2Be8zD1pUP4yFtAYS0xzYYHgh
fcm/uO9SMNGio+KAoZsK6U7e574nJ+HpmqbdrwAR8hclo2wJRDTLTPdXMvtlx5TC
4dlz4k89Q3ILMmOs/jZOXtHLAyRGJ4S+EZqGWzgx9RjWSdC6zGfe5PLWUe98mVHl
zGULna1ltafSBEzgcnNQzd7O7O3OMQaN+EQA0uTDXrfvi4KHgJHSrKOXRtG04P2w
HPblNKBCXkfKxJvATLlkfWjXqqBMKZO/wxeNSQ4iMvBHThyTDyOX9lejL+LcJQ+a
nqT4qZJOJjF/QNODxoeDJ4aJL6T+a/usR9Q6VpoYLc6+udCXx7RTe8r6tZ6sWn+M
Fz7ABRm8n7I=
=Mx45
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7VuzGaOgq3Tt24GAQieDw//drkj4PqE3t/YwH0xsG8ko0M7YfJP1Rcx
2cAIeHcTdZpvaGnTtL5wWBKfQtqxFtthVrKy5XcDaVXmyGXF0RJ7USZeaCDD3l38
E4jnT1FfDmvNBEEjgYQgOFhRSm78pEtpj8xkT54W3rrgDm/EL0RwyEEfdvnGNqQH
n5tp1owCif6whqo+xTd6S1hLUYWilaAyU07Cm0Y31U8ctDksSWA3UNoZvm7PTyHJ
S1h61dpUma3M9QARnftkP2056S2FD+X6zmIAmigeBmlD2UwUXgTRuT8NV7E+3T9G
sHsES+Cz14MAPzhLcifinzh3Yp41eBCaP/hG56iBXtBw2tuyeQu+e5EUd8Ll2q7X
uCPdnUGE7BLoSyHZ+w+OiNbBYFfVQFpAbI7RUysDme8qxnq1mJTvN/1W7uPofNH8
oRxd/XfLa4aSk5uhjNCkcU/FIb5kRGIM66CYlLFiTQd/cZjHu5WmdL/w69Yv3nm5
uvaY++0QlqspL0C1qnHGTaiv0xrkhKLENhtgLVqG9pfAZ7cIVOt1nXQurg/Bl6OM
18lQe0tCiUswnJq3Cg0tdt9D0ZAbjbxweDBF7d69m9JUsyRfZ90Cp5SGepsGuadx
5CpWRfxaPOkSUoHno4KLy2tsrJNCWbdnQzlxT0EPkZDOtRp3n6hWxx1pyATQHwCZ
we74XUANz8E=
=2dCK
-----END PGP SIGNATURE-----

« Back to bulletins