Operating System:

[RedHat]

Published:

11 October 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3805
          Red Hat OpenShift Application Runtimes Thorntail 2.5.0
                         security & bug fix update
                              11 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Application Runtimes
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-14379 CVE-2019-12384 CVE-2019-12086
                   CVE-2019-10212 CVE-2019-10184 CVE-2019-3888
                   CVE-2019-3868  

Reference:         ASB-2019.0201
                   ASB-2019.0199

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:2998

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Application Runtimes Thorntail 2.5.0 security & bug fix update
Advisory ID:       RHSA-2019:2998-01
Product:           Red Hat OpenShift Application Runtimes
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:2998
Issue date:        2019-10-10
CVE Names:         CVE-2019-3868 CVE-2019-3888 CVE-2019-10184 
                   CVE-2019-10212 CVE-2019-12086 CVE-2019-12384 
                   CVE-2019-14379 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Application Runtimes.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Application Runtimes provides an application platform
that reduces the complexity of developing and operating applications
(monoliths and microservices) for OpenShift as a containerized platform.

This release of RHOAR Thorntail 2.5.0 serves as a replacement for RHOAR
Thorntail 2.4.0, and includes security and bug fixes and enhancements. For
further information, refer to the release notes linked to in the References
section.

Security Fix(es):

* keycloak: session hijack using the user access token (CVE-2019-3868)

* undertow: leak credentials to log files
UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)

* undertow: Information leak in requests for directories without trailing
slashes (CVE-2019-10184)

* jackson-databind: polymorphic typing issue allows attacker to read
arbitrary local files on the server (CVE-2019-12086)

* jackson-databind: failure to block the logback-core class from
polymorphic deserialization leading to remote code execution
(CVE-2019-12384)

* undertow: DEBUG log for io.undertow.request.security if enabled leaks
credentials to log files (CVE-2019-10212)

* jackson-databind: default typing mishandling leading to remote code
execution (CVE-2019-14379)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1679144 - CVE-2019-3868 keycloak: session hijack using the user access token
1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed
1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes
1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
1731984 - CVE-2019-10212 undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files
1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution

5. References:

https://access.redhat.com/security/cve/CVE-2019-3868
https://access.redhat.com/security/cve/CVE-2019-3888
https://access.redhat.com/security/cve/CVE-2019-10184
https://access.redhat.com/security/cve/CVE-2019-10212
https://access.redhat.com/security/cve/CVE-2019-12086
https://access.redhat.com/security/cve/CVE-2019-12384
https://access.redhat.com/security/cve/CVE-2019-14379
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.thorntail&version=2.5.0
https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html/release_notes_for_thorntail_2/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXZ7/+tzjgjWX9erEAQiaPQ//T8jaEp/5hzCtLevU81/jQ3SBEpnmlsAm
+TZzntAEPMEypQDs7si1Or8u9D42+xRWamTYoWd0vf+Lr4Rd33vKtFaN8SFQJAGf
kWoKznKARKgfyI3H68wF182h3jTKo4FHy2FGqw1KL4TSTiYlp2ylMQX2vra8e11E
hDkLRhp1wxyPVFe3d70gILSgI84WXfUzRpmwqEaYnTT+br/ml26Sg0QOdjD+Q0qK
Et1q0ywyhktzS3av1UgNgwExk4Rbj69LYmLRBRdyLopGq0H64VIStnz7F+ayaoWp
VZyfeq4iktcJWbpj7WTxMEZy9KniVaAAMhVjxuD+OPB+dhOJluAByYctToitk+0I
9e8WdY0VelGTJUmXrWsAiPN6R0HC1aUOhWJC4c5YnAJxJdCXEQlzdORCZpNS2lt/
/FlALnmO7bzkQ4Y+fuYp8UuVHTHT9pnjLELyJwV6oekfG6BLvLABvoWvG3nzrvbK
ptAA2Aj/cDREpLnli0+OVzEkwr1Mt9fI07JZJE5dIXPcG1UqvEeZG0SG4G8JeUiD
UCtn4PwjYafK+a1FC+g04cfy9axWbQHAJZvaUYKWI35qRyhwEh7Yz6pBYE0h4+zF
kulGbR2UZOLXhgcUWH4bRuYz7hd8xp4XmZ9RFhoarUg+1VZZ1nRTcWM+7HQQgtUP
vUqIQZGZjuM=
=uM6I
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXZ/NLGaOgq3Tt24GAQitLw/8DItSb0BItC7JkVVvrfSg/k53YgzfX33t
wYegg6H2Cwbry6XV2aKvLe+fO0Ta+0V7padf3o81EMjvaBLIgIQqq31tdFGc63z/
xgL8T2Gl2x+KCHSqrP009SM3FKOkRGibKt8KJr6wlXr1jrzvTzdLArsfqeNDWyxa
s9vN6VcW907jkYeupn206c0d3F0ovKozBWmBD6xHhO7n3KujV8I6fjSDOD9C+RDN
yH2ajab6nWw7sReIfByaQm+2UtC/vR2Z2VAiKF19Wu7QsL4mOhJW2fQDqJforBRL
ogz2NpQBVZ4sMg0lE1ShVIW2vSESWUmE4N/+jv9ojyaCkwwGVUiniBmCuvkxVgEf
yuH74Y6R90gFrB89tnmU2kxB+zJLX+HWRZmpViUqaxu0Qyfi9HROM3Io9GKdN3wP
Aq5mcmTzriPVEBLngFRU2/R6NviGGFsM/1rBm24eB+QxKqa6ltWJi6d6sdFX8wFH
hr8siv4ThWl+KJyJhEWHLrYxhbXyshps7QuXXhqrcDkZSZRvXfOqbyhuswk7NfAM
ZqardgtZn2/v/kH53sGx6+RlyUYwiRC2HPSB1H3KhlneA/eu1wtnV5T5UKqpON0E
zjfj+9G/rH7zdOPspQw+S8HeAQIKbgQwo7WZTam9U2w1j/MZ8bhIl9I9gVKItqDF
a9Eez8euRx8=
=QaDY
-----END PGP SIGNATURE-----