Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2512 Moderate: Red Hat JBoss Web Server 3.1 Service Pack 7 security and bug fix update 10 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Web Server Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-0739 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1711 https://access.redhat.com/errata/RHSA-2019:1712 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Web Server 3.1 Service Pack 7 security and bug fix update Advisory ID: RHSA-2019:1711-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2019:1711 Issue date: 2019-07-09 CVE Names: CVE-2018-0739 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 6 - i386, noarch, x86_64 Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 7 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1561266 - CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service 6. JIRA issues fixed (https://issues.jboss.org/): JWS-1303 - Body text property replacement fails [jws3] JWS-1414 - Tomcat frequently hangs at startup when Jolokia loads certificate [jws-3] 7. Package List: Red Hat JBoss Web Server 3.1 for RHEL 6: Source: tomcat-native-1.2.17-19.redhat_19.ep7.el6.src.rpm tomcat7-7.0.70-34.ep7.el6.src.rpm tomcat8-8.0.36-39.ep7.el6.src.rpm i386: tomcat-native-1.2.17-19.redhat_19.ep7.el6.i686.rpm tomcat-native-debuginfo-1.2.17-19.redhat_19.ep7.el6.i686.rpm noarch: tomcat7-7.0.70-34.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.70-34.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.70-34.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.70-34.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.70-34.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-34.ep7.el6.noarch.rpm tomcat7-jsvc-7.0.70-34.ep7.el6.noarch.rpm tomcat7-lib-7.0.70-34.ep7.el6.noarch.rpm tomcat7-log4j-7.0.70-34.ep7.el6.noarch.rpm tomcat7-selinux-7.0.70-34.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-34.ep7.el6.noarch.rpm tomcat7-webapps-7.0.70-34.ep7.el6.noarch.rpm tomcat8-8.0.36-39.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.36-39.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.36-39.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.36-39.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.36-39.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-39.ep7.el6.noarch.rpm tomcat8-jsvc-8.0.36-39.ep7.el6.noarch.rpm tomcat8-lib-8.0.36-39.ep7.el6.noarch.rpm tomcat8-log4j-8.0.36-39.ep7.el6.noarch.rpm tomcat8-selinux-8.0.36-39.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-39.ep7.el6.noarch.rpm tomcat8-webapps-8.0.36-39.ep7.el6.noarch.rpm x86_64: tomcat-native-1.2.17-19.redhat_19.ep7.el6.x86_64.rpm tomcat-native-debuginfo-1.2.17-19.redhat_19.ep7.el6.x86_64.rpm Red Hat JBoss Web Server 3.1 for RHEL 7: Source: tomcat-native-1.2.17-19.redhat_19.ep7.el7.src.rpm tomcat7-7.0.70-34.ep7.el7.src.rpm tomcat8-8.0.36-39.ep7.el7.src.rpm noarch: tomcat7-7.0.70-34.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-34.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-34.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-34.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-34.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-34.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-34.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-34.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-34.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-34.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-34.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-34.ep7.el7.noarch.rpm tomcat8-8.0.36-39.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-39.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-39.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-39.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-39.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-39.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-39.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-39.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-39.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-39.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-39.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-39.ep7.el7.noarch.rpm x86_64: tomcat-native-1.2.17-19.redhat_19.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.17-19.redhat_19.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2018-0739 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html/3.1.0_release_notes/index 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXSSO5tzjgjWX9erEAQi9txAAgVqrOrvIK7O1M+toA/c+8SXVb6mjL/As q8DHXbcca4gxxMTrgw8Q65gVqWRbmTXskZMs2nprnl0DJUQlT0GxTXH9DBJcoyDW aABX586dopqZTVQ+RnlE5Y64BFZ77IrjtI+CjMNCnqouh+jwQbsqeyUm7Y7cjFF6 4d0PDw5wZFHgRGYpIqJxIKppmuLME6TRGP6Cyl1tS99TuCYJ4I/pP8WAP6WZVhHU BceXq0xLImPDldWGt5jZsLHZnJVVn+f26TVwWVmGKiyqgf9ACBnHnUgvsud4xtP3 2e2oZxW7QlFDDEI+1CYPBpT6sz1ae5bV1Nr9IhhZFb1XI4ZHVOB1CAQXu15KgQgH Cs2ZAbeoyEfFCujV0J3qN2OomVWqtYoWb1F9Axa7qKfdbAW5Y/svgYHIvUXKFBoE a8+XhG1+CUID8MDd5bhATmnsfA6iYZQI8HvVEJiMyB5vhkGysTH0Wffp6K0zpfh2 RnsNE2u+eC38v+gWB6uVVXYaIQolE5cHgqbR2/PsQzoLCQXjzGOZXpfNH+5XbQ8t X6+bBQY6w/ZdpsAG+xxd3GoAdWMsJ7+p6Fv+xU2NLUZc6C3oy5W/SCVImi13zweO ckAd5Hi2gqMriHZm7Zc+nWy3c1aRfq2dXiLbZBxLREXzNj2yaQFRJq3s9VrdLy1B s/v0TmHXGfM= =hM4+ - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 7 security and bug fix update Advisory ID: RHSA-2019:1712-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2019:1712 Issue date: 2019-07-09 CVE Names: CVE-2018-0739 CVE-2019-0232 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 7 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: Remote Code Execution on Windows (CVE-2019-0232) * openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1561266 - CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service 1701056 - CVE-2019-0232 tomcat: Remote Code Execution on Windows 5. JIRA issues fixed (https://issues.jboss.org/): JWS-1303 - Body text property replacement fails [jws3] JWS-1414 - Tomcat frequently hangs at startup when Jolokia loads certificate [jws-3] 6. References: https://access.redhat.com/security/cve/CVE-2018-0739 https://access.redhat.com/security/cve/CVE-2019-0232 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html/3.1.0_release_notes/index 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXSSdM9zjgjWX9erEAQjiyBAAm7poF66coR0wLnb9mmsmEl5gT8+oqM+Z QByRSEmp+cOIzzmz2JA0oRAAiq6if7D8jbcnK0+bEO9upkje9EDT7Y0whjq4zui4 q938wRWMS4OoxGqWqYwPJZV9WVTbshHTaQ42dBPjDtE64P7o/ZJgbshO/znVDTFK crIC4h5GLawcBsGCApcGkxlfJQG/VzhTdBQkrVJGM4ovZ7zgFASNkQdoHN4x9st3 NPZPDO3TbhKBougI9D8UcfqOLUvkGaMljYnqAsbheXb1T1E0gX3mNO/qfc7lVdKO Yh2tNL+sfHAa6/EQ9bH7OKsdxhR4szeCV/os8i7NSJgN0QbwpOsAXTi4T80wphl2 krX3EPL3/Xsp9u+FMA2dkPXSUAJAEob++7p4r6tEEg4Q8q8wdx59Del4ERESos2W TccjjszCnT+OVTdpLRkf7LIjS+bTUsnnICTdyXKWATIEeZOYah4AsNPEfFFAFs3G Ln+kJ/tMkAEaR7J3uZqRIn0YtZVJhRoKQrB8iV49ItK2TIih+EvUCQhgu/MSFTUd 9dPZwkJDLOzJnHF6YIFZoo8wIwgiszMBgMJQRZisJsgysd6jtJUAE4ye/wL9TRkk YPK4uuXnE486odfCu4gSeSrc2/Z+xIej6IwSaFcHbJR3u5rLKd1i/QzupciOFIJC PR68zb1PfGo= =WmTT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSUypWaOgq3Tt24GAQgUvw//Ugdfgk3ZEcQzNjwbFQXOwPXIqOLYuu3X quvt0TNc4ZLgM7Gdxw1yGFcvUQdUq2UveuNP7sOO5/P2isztJSoenrh1KAAzCEga gF15EdaJVzbNFeY0uGSm0hCBI2eMytBkrcRhPPgN4FEuNq31hzvr5789Jys2qwJQ b9gWG5qJ9Xv9jz74c4cxrqaTlH1obPxBDsHTdbYyaSXBdA1cgwwEZLsFfvJQq0mF sn4dtbbvJh65wrrCSJ3K1j5Y45s+eOm9UgRbZA85e2MiUYWOPnz93OfFTvbkzAlB 0/GpdwrQosP98pQEE/sOE3OGoWz50gYiuWlga5eoTCzNXYu8Ldk+HGGqLge/PJ19 tnhDuxnLQDLWuikT3sPEGFK0CK0st/5aPNNIlCDjKoQNPPlGIgmiC4j57d7Ul3yj rMU62qf5Z/rRhclaU18R1m5E/bdZx5ra+8QcmActXh2SBo/8YdN346Y5XFvEs4Bk bkWyuVuamVCxim2Sk5S/X9nWvlKY6+2hKqDQSNr4VP2gfZHm1opgjCtedqvlVGsp gwlabxG7FP7Zx+PzhDFBfVxfshoWaAD+qpL6Ft6W2EuvreL1hl0Q7eYXi9bWRq1k vt7HqKAsFXvk6KgOWYF0yi35UF12mXLYpQo1OTzCUXPUX33VurAdDH6Rhgp6CbI4 y0LUDQKfPMA= =h9+9 -----END PGP SIGNATURE-----