Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0832 Red Hat Data Grid security updates 6 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Data Grid 7.3.3 Red Hat Data Grid 7.3.4 Red Hat Data Grid 7.3.5 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-16335 CVE-2019-14893 CVE-2019-14892 CVE-2019-14888 CVE-2019-14838 CVE-2019-14379 CVE-2019-10212 CVE-2019-10184 CVE-2019-10174 CVE-2019-10173 CVE-2019-9518 CVE-2019-9515 CVE-2019-9514 CVE-2019-9512 CVE-2019-3888 CVE-2019-3805 CVE-2018-14335 CVE-2015-9251 CVE-2013-7285 Reference: ASB-2020.0024 ASB-2020.0017 ESB-2020.0494 ESB-2020.0450 ESB-2020.0216 ESB-2020.0100 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0728 https://access.redhat.com/errata/RHSA-2020:0729 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Data Grid 7.3.3 security update Advisory ID: RHSA-2020:0727-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2020:0727 Issue date: 2020-03-05 CVE Names: CVE-2018-14335 CVE-2019-3805 CVE-2019-3888 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-9518 CVE-2019-10173 CVE-2019-10174 CVE-2019-10184 CVE-2019-10212 CVE-2019-14379 ===================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project. This release of Red Hat Data Grid 7.3.3 serves as a replacement for Red Hat Data Grid 7.3.2 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum. Security Fix(es): * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518) * xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) (CVE-2019-10173) * infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174) * jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379) * h2: Information Exposure due to insecure handling of permissions in the backup (CVE-2018-14335) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888) * undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files (CVE-2019-10212) * undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 7.3.3 server patch from the customer portal. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.3 server patch. Refer to the 7.3 Release Notes for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1610877 - CVE-2018-14335 h2: Information Exposure due to insecure handling of permissions in the backup 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods 1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes 1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) 1731984 - CVE-2019-10212 undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 5. References: https://access.redhat.com/security/cve/CVE-2018-14335 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-3888 https://access.redhat.com/security/cve/CVE-2019-9512 https://access.redhat.com/security/cve/CVE-2019-9514 https://access.redhat.com/security/cve/CVE-2019-9515 https://access.redhat.com/security/cve/CVE-2019-9518 https://access.redhat.com/security/cve/CVE-2019-10173 https://access.redhat.com/security/cve/CVE-2019-10174 https://access.redhat.com/security/cve/CVE-2019-10184 https://access.redhat.com/security/cve/CVE-2019-10212 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=patches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmD2b9zjgjWX9erEAQhDqA/9G7uM0HlTt4M6Z9Zc23FSbbr+jj1k/o69 a5WWa+xS3Ko4IvlN5rt+wOHSFet+NTMAerNHzAsB2+viX1hr14Hwf3QnIom/yxbJ PaC1djdaZfcvSIODhbq/C5Ilae09x3rW1voQ39i1Q2bsEqVePLZdC75KjvNLsfqe QJCMvcO3jkccxn7k45baCfTGsFyOhHb17Y9DRarWsC7jO9kEjMxrUPN6qKP6BC9t RMuqDxo1aJnatMeCWb7NA0UpOz0+lFpuR+ZZYPV444nGmfTKrbc9c5TuQUCSP+LD sG1+fh2xMztuGxNiJfgSP3iqHmgXD9TBxh1kxn1kt59llCO5+Uqu/O5OsqeQQ0Ym I+a2VAzn2N776sTbWIZ3231IJex68oG+4/fIo6/FVVJpmtDIDgumgErTPD0kkNuT yyyn3u50RZohzSxEz37QdiQDJbiJcJhmtFR5fLRAbFa8Ys2Gw81PGFba95/kVooX K5uSukzOBm8nhxfBvwZDCY/gWuJwVLSAOJb4VoPZiR2WbZsx+9r+spQv6K9wYr5v s//DY88rsUSaMH4kGco//6Dqis8IwOISr/ZR+Edlnrz1rHv9Z4XerMw56VUKIHva mS7rdNmbLqHN0XfZImxewLca2i7sWIlxWrgKF2f4zEO3ermivdis7RdssZkJ9Zv9 S7B2VoNOQj4= =zoia - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Data Grid 7.3.4 security update Advisory ID: RHSA-2020:0728-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2020:0728 Issue date: 2020-03-05 CVE Names: CVE-2019-14838 ===================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project. This release of Red Hat Data Grid 7.3.4 serves as a replacement for Red Hat Data Grid 7.3.3 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum. Security Fix(es): * wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 7.3.4 server patch from the customer portal. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.4 server patch. Refer to the 7.3 Release Notes for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default 5. References: https://access.redhat.com/security/cve/CVE-2019-14838 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmD58tzjgjWX9erEAQhLSA/+M9UCHp9LEpy0IDRTjj0BZYpu/Wx2Wzlf HpH+HysKOAvO0fTQOo7CrcWIGWm76BVjPdkzIlhttCs96WfghCCVnIPg40fW26SH V2edEuVgok+gcPEbFb4IiG56/9M5So4VQ/jsvI0m1mH5+xHAU4R1cuYPPGITEHWw 70vka3vs5PM2Y1A9rXz89Qhex/Zk4rlge29T/1tZIjQAAeWucuAEtA/902aLm+9P ecD3YwWcmEQCcjK03QjYmiCUnCU6aSFCZqWAyX2O5k9LUpROrJQO5zkuydF+hfny E8+dqs8UBD2aHny7duzmWa6UFe/uetmtLK4Aa7UTLr84hFKnGpEYcUJ3bBXXSOz9 5CQOc4yt69klIkVNyk3Evmka/erDj3lj3F2YKu93s6HJQfxmAPsg3xoUrs4cTOmF E4NlV5UvvUJo9adNRzHGBbpdaOXq1wJc8QeaXMjhQOr4/p6XDS9ebtmnJbaJqrN/ /1sZUxEO2DerO1zy6ws7TEuCzeFPHJrwQFXN0uso9aNJZoDvFqRbQWUHrhe7J0Dp ES6BVCUchqfa50XCTkmytLsFmdB5tL+asJWYWwNefIu1Lg8l22SMbzw0s1GJnuGj fXnzDCwHDdMj6VKhUjyLdDV1KPe/MMzEBwXcXwqi9P3O9bJC4eYy377iHked62z1 PG26lBU0UZ4= =Hs6K - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Data Grid 7.3.5 security update Advisory ID: RHSA-2020:0729-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2020:0729 Issue date: 2020-03-05 CVE Names: CVE-2015-9251 CVE-2019-14888 CVE-2019-14892 CVE-2019-14893 CVE-2019-16335 ===================================================================== 1. Summary: An update for Red Hat Data Grid is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project. This release of Red Hat Data Grid 7.3.5 serves as a replacement for Red Hat Data Grid 7.3.4 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum. Security Fix(es): * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: To install this update, do the following: 1. Download the Data Grid 7.3.5 server patch from the customer portal. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.5 server patch. Refer to the 7.3 Release Notes for patching instructions. 4. Restart Data Grid to ensure the changes take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests 1755831 - CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource 1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package 1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package 1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS 5. References: https://access.redhat.com/security/cve/CVE-2015-9251 https://access.redhat.com/security/cve/CVE-2019-14888 https://access.redhat.com/security/cve/CVE-2019-14892 https://access.redhat.com/security/cve/CVE-2019-14893 https://access.redhat.com/security/cve/CVE-2019-16335 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmD64dzjgjWX9erEAQhVEw//YhsuCp6jWyCTmV4ityeuQbAfugDZbDil UgLHKB9LytAPXZunO8F+JpvNUAjTuPuJCXoTLY75Qz50v1Tdi1sCFr4oeQcpwkTZ L3+x5F4p8B+xAWTtmP+dM/36OClSLDvKcT+wLcwIZs9uUhXt5a/eMcbGkEvDRqeS 56WULWu2uHYhOPr3l7SaL3V0+7GTH3QsaeqNTohn8wsSjsdVWJwh4L8St1MVdPiI qraV1nN5DY0uqHfkIdZJY5dnhJ43PVvSgf9TS+0GFYZN78F9FMQQi94MRHQbNOuc LJrbiVXWgyDBIPJCA0Nu5TYutIdRcD6agHXeFay2SRCEMxfXdtFVEstInAOMy7g8 daH7DGPvNG9tyC32uKJpq11/3qCulfJ2WzIocuLUnBTg13pjhpOGTSG5h+kxTybR IU83IP24lVZOdkbXv/9GBWPwyOPpZO1IO7zUTaGPoRbGW+167pRoMp8LG28NCth3 mENbW2oBk/sAQbiUQ6oQntKmLBOC4yQDAskvWTf82csrcve0kAcOCFU5ivnRt4Mf mePrVsHc1O/WHFyoZP9TPX99h0jYKHKxP8VE81RT2MkQmnPkL1UQcnFmtutcVqEd LNNW7Y8V6thdeZRspwAR575lqYzq59dNkGeINHuWTv4DWHQTneVcJB7a1fAvcFB6 6hUzIjSDmgY= =NGTq - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXmHc/maOgq3Tt24GAQjGYhAAvL1sd0cKqIKBM2WLy5AMLykRNElcdA0r EmNuZkhZRwt6TB1JWb2zvo5DYiH8+Q4zrI6RET9CzE7oNIpCHK2i7NLxaATBr12m SE/VmTu6QRWiG0SXSXtGl3BN8Lfq4PGnIomZKYfCCybEqpi/sU5ycC7JQoqr3mhl vAjeCp/1QhqOpYi3OxNz5NHBvS+7m4eYj+SdJFD2RXEulnoXKYjVQ7uE4fdqqNoG DmC9GGT552tBGblUpgDcLLZBktlEui9khK1+px6Ys6Ji3ScTBco7rg59zaqeN4// CbyNkd40TpqKtzYVtWHwAsvx2SOPaVTr730RztblZ6Z+Lc796cKeSenV9I8KrF2v CMbNd1cjQVu0GpDAkwCM/qYprSywtKH0YgQVOSOKriwyF7ve5bbWkRJ89oOx/i0N UfFJwgtAssnHh1n2Kwl4z+N7dobbRk91rmBaYQGgEiCGaj+9YFlvHLfMfq1neSVU xAhup6s1MUrK4i1vyrgQYGnChKtkcBC2DNHohFt80acU+fk425X6BaY3FRXFWT9H n1GuqgPYq+MKN4Xaegm+MRaIDqtZwsbSM0WSN+VaB6yJgPlqioBONCl0c6wRejIa slQex5U+axVE+iwzpKcnVrXhwbcCERp1f9lOaJ8UaVoDzXm/06XfIfg5EIBAdJao qinGC/k7AA4= =MxQw -----END PGP SIGNATURE-----