Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4405
Red Hat JBoss Web Server 5.2 security release
21 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss Web Server
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux Server 8
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10072 CVE-2019-1559 CVE-2019-0221
CVE-2019-0199 CVE-2018-5407
Reference: ASB-2019.0296
ASB-2019.0208
ASB-2019.0202
ASB-2019.0147
ASB-2019.0120
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3931
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
======================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Web Server 5.2 security release
Advisory ID: RHSA-2019:3929-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3929
Issue date: 2019-11-20
Keywords: jws
CVE Names: CVE-2018-5407 CVE-2019-0221 CVE-2019-1559
CVE-2019-10072
======================================================================
1. Summary:
Updated Red Hat JBoss Web Server 5.2.0 packages are now available for Red
Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise
Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Web Server 5.2 for RHEL 6 Server - i386, noarch, x86_64
Red Hat JBoss Web Server 5.2 for RHEL 7 Server - noarch, x86_64
Red Hat JBoss Web Server 5.2 for RHEL 8 - noarch, x86_64
3. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.
This release of Red Hat JBoss Web Server 5.2 serves as a replacement for
Red Hat JBoss Web Server 5.1, and includes bug fixes, enhancements, and
component upgrades, which are documented in the Release Notes, linked to in
the References.
Security Fix(es):
* openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures
(PortSmash) (CVE-2018-5407)
* openssl: 0-byte record padding oracle (CVE-2019-1559)
* tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of
CVE-2019-0199 (CVE-2019-10072)
* tomcat: XSS in SSI printenv (CVE-2019-0221)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1645695 - CVE-2018-5407 openssl: Side-channel vulnerability on
SMT/Hyper-Threading architectures (PortSmash)
1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle
1713275 - CVE-2019-0221 tomcat: XSS in SSI printenv
1723708 - CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on
write, incomplete fix of CVE-2019-0199
6. Package List:
Red Hat JBoss Web Server 5.2 for RHEL 6 Server:
Source:
jws5-ecj-4.12.0-1.redhat_1.1.el6jws.src.rpm
jws5-javapackages-tools-3.4.1-5.15.11.el6jws.src.rpm
jws5-jboss-logging-3.3.2-1.Final_redhat_00001.1.el6jws.src.rpm
jws5-mod_cluster-1.4.1-1.Final_redhat_00001.2.el6jws.src.rpm
jws5-tomcat-9.0.21-10.redhat_4.1.el6jws.src.rpm
jws5-tomcat-native-1.2.21-34.redhat_34.el6jws.src.rpm
jws5-tomcat-vault-1.1.8-1.Final_redhat_1.1.el6jws.src.rpm
i386:
jws5-tomcat-native-1.2.21-34.redhat_34.el6jws.i686.rpm
jws5-tomcat-native-debuginfo-1.2.21-34.redhat_34.el6jws.i686.rpm
noarch:
jws5-ecj-4.12.0-1.redhat_1.1.el6jws.noarch.rpm
jws5-javapackages-tools-3.4.1-5.15.11.el6jws.noarch.rpm
jws5-jboss-logging-3.3.2-1.Final_redhat_00001.1.el6jws.noarch.rpm
jws5-mod_cluster-1.4.1-1.Final_redhat_00001.2.el6jws.noarch.rpm
jws5-mod_cluster-tomcat-1.4.1-1.Final_redhat_00001.2.el6jws.noarch.rpm
jws5-python-javapackages-3.4.1-5.15.11.el6jws.noarch.rpm
jws5-tomcat-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-javadoc-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-lib-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-selinux-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
jws5-tomcat-vault-1.1.8-1.Final_redhat_1.1.el6jws.noarch.rpm
jws5-tomcat-vault-javadoc-1.1.8-1.Final_redhat_1.1.el6jws.noarch.rpm
jws5-tomcat-webapps-9.0.21-10.redhat_4.1.el6jws.noarch.rpm
x86_64:
jws5-tomcat-native-1.2.21-34.redhat_34.el6jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.21-34.redhat_34.el6jws.x86_64.rpm
Red Hat JBoss Web Server 5.2 for RHEL 7 Server:
Source:
jws5-ecj-4.12.0-1.redhat_1.1.el7jws.src.rpm
jws5-javapackages-tools-3.4.1-5.15.11.el7jws.src.rpm
jws5-jboss-logging-3.3.2-1.Final_redhat_00001.1.el7jws.src.rpm
jws5-mod_cluster-1.4.1-1.Final_redhat_00001.2.el7jws.src.rpm
jws5-tomcat-9.0.21-10.redhat_4.1.el7jws.src.rpm
jws5-tomcat-native-1.2.21-34.redhat_34.el7jws.src.rpm
jws5-tomcat-vault-1.1.8-1.Final_redhat_1.1.el7jws.src.rpm
noarch:
jws5-ecj-4.12.0-1.redhat_1.1.el7jws.noarch.rpm
jws5-javapackages-tools-3.4.1-5.15.11.el7jws.noarch.rpm
jws5-jboss-logging-3.3.2-1.Final_redhat_00001.1.el7jws.noarch.rpm
jws5-mod_cluster-1.4.1-1.Final_redhat_00001.2.el7jws.noarch.rpm
jws5-mod_cluster-tomcat-1.4.1-1.Final_redhat_00001.2.el7jws.noarch.rpm
jws5-python-javapackages-3.4.1-5.15.11.el7jws.noarch.rpm
jws5-tomcat-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-javadoc-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-lib-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-selinux-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
jws5-tomcat-vault-1.1.8-1.Final_redhat_1.1.el7jws.noarch.rpm
jws5-tomcat-vault-javadoc-1.1.8-1.Final_redhat_1.1.el7jws.noarch.rpm
jws5-tomcat-webapps-9.0.21-10.redhat_4.1.el7jws.noarch.rpm
x86_64:
jws5-tomcat-native-1.2.21-34.redhat_34.el7jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.21-34.redhat_34.el7jws.x86_64.rpm
Red Hat JBoss Web Server 5.2 for RHEL 8:
Source:
jws5-ecj-4.12.0-1.redhat_1.1.el8jws.src.rpm
jws5-javapackages-tools-3.4.1-5.15.11.el8jws.src.rpm
jws5-jboss-logging-3.3.2-1.Final_redhat_00001.1.el8jws.src.rpm
jws5-mod_cluster-1.4.1-1.Final_redhat_00001.2.el8jws.src.rpm
jws5-tomcat-9.0.21-10.redhat_4.1.el8jws.src.rpm
jws5-tomcat-native-1.2.21-34.redhat_34.el8jws.src.rpm
jws5-tomcat-vault-1.1.8-1.Final_redhat_1.1.el8jws.src.rpm
noarch:
jws5-ecj-4.12.0-1.redhat_1.1.el8jws.noarch.rpm
jws5-javapackages-tools-3.4.1-5.15.11.el8jws.noarch.rpm
jws5-jboss-logging-3.3.2-1.Final_redhat_00001.1.el8jws.noarch.rpm
jws5-mod_cluster-1.4.1-1.Final_redhat_00001.2.el8jws.noarch.rpm
jws5-mod_cluster-tomcat-1.4.1-1.Final_redhat_00001.2.el8jws.noarch.rpm
jws5-python-javapackages-3.4.1-5.15.11.el8jws.noarch.rpm
jws5-tomcat-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-javadoc-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-lib-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-selinux-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
jws5-tomcat-vault-1.1.8-1.Final_redhat_1.1.el8jws.noarch.rpm
jws5-tomcat-vault-javadoc-1.1.8-1.Final_redhat_1.1.el8jws.noarch.rpm
jws5-tomcat-webapps-9.0.21-10.redhat_4.1.el8jws.noarch.rpm
x86_64:
jws5-tomcat-native-1.2.21-34.redhat_34.el8jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.21-34.redhat_34.el8jws.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-5407
https://access.redhat.com/security/cve/CVE-2019-0221
https://access.redhat.com/security/cve/CVE-2019-1559
https://access.redhat.com/security/cve/CVE-2019-10072
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.2/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
======================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Web Server 5.2 security release
Advisory ID: RHSA-2019:3931-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3931
Issue date: 2019-11-20
Keywords: JWS
CVE Names: CVE-2018-5407 CVE-2019-0221 CVE-2019-1559
CVE-2019-10072
======================================================================
1. Summary:
Red Hat JBoss Web Server 5.2.0 zip release for RHEL 6, RHEL 7, RHEL 8 and
Microsoft Windows is available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.
Refer to the Release Notes for information on the most significant bug
fixes, enhancements and component upgrades included in this release.
Security Fix(es):
* openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures
(PortSmash) (CVE-2018-5407)
* tomcat: XSS in SSI printenv (CVE-2019-0221)
* openssl: 0-byte record padding oracle (CVE-2019-1559)
* tomcat: HTTP/2 implementation leads to denial of service (CVE-2019-10072)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1645695 - CVE-2018-5407 openssl: Side-channel vulnerability on
SMT/Hyper-Threading architectures (PortSmash)
1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle
1713275 - CVE-2019-0221 tomcat: XSS in SSI printenv
1723708 - CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on
write, incomplete fix of CVE-2019-0199
5. References:
https://access.redhat.com/security/cve/CVE-2018-5407
https://access.redhat.com/security/cve/CVE-2019-0221
https://access.redhat.com/security/cve/CVE-2019-1559
https://access.redhat.com/security/cve/CVE-2019-10072
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXdYfOmaOgq3Tt24GAQi83BAAvFyIBsHow/jmWZCR7SpKlSZTIrN2zRmR
FLN8xapaCEfux1tNE26JGtOmNhIu0PLtYeBVDhakrORfLdQWKy96el84V7FBEQE8
1GFqJ5z3GDrL+gWGwGaEgGZnJwZXeuEg+v2O0xIfKcueozMmt0xGuOh0MuSozM5B
lAAzpjC3Xyh+8ECXH77+HG+Yy0V39BJtNjcLNW8TZJSYI84FbEBDRuUWtGfxelmH
r/Tiv2cwIgXAFR6fHX8Guv0Kul2l9F8V0PEEaSzXf7I3xTxRV5zg1cwGFFOjEuzo
o4Fa9OS4OD4KXRh3++I25RMs31fGwDumbKvqZzey8nYUCX2EEd0wQh+ePLjETWb0
isCT/Y5TqjAYGpNyUy7bVtlGCZKgYjblrVObJXd3bjshefpZutTZRPpO9Z2Rsjae
TpzqV4bXwwNiFj2Pltl4rSrEms5tvdAyibZE7K/jaJRlUXtMWGjRcruBpvK8oOx0
U7ShQpegoKv55XPvGrOMvRl+hNDbkdiEEfXeaNITNX62qmbeIyAswY4ndpzsdfHo
byQbqC8BYIczDdK4rCRN4eU2T+084CVwrhimyaZllVXDAexf5ncAFCb9oPgGJ10P
lbI+uKT3rumwQgNLxFfaMv3ZXQA7VXF0BWM1YToNfmAoOi6j/FZQY+f92Ul3qpIM
dLkKf2dprkY=
=57Qp
-----END PGP SIGNATURE-----