Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0915 Red Hat JBoss Enterprise Application Platform 7.2.7 security update 13 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Enterprise Application Platform 7.2.7 Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-7238 CVE-2019-20445 CVE-2019-20444 CVE-2019-14887 CVE-2019-12400 CVE-2019-10086 CVE-2019-0210 CVE-2019-0205 Reference: ESB-2020.0786 ESB-2020.0681 ESB-2019.4791 ESB-2019.4787 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0811 Comment: This bulletin contains four (4) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 6 security update Advisory ID: RHSA-2020:0804-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0804 Issue date: 2020-03-12 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-10086 CVE-2019-12400 CVE-2019-14887 CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.2 for RHEL 6 Server - noarch, x86_64 3. Description: This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * netty: HTTP request smuggling (CVE-2019-20444) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details about how to apply this update, which includes the changes described in this advisory, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-16051 - [GSS](7.2.z) Upgrade javax.el-impl from 3.0.1.b08-redhat-1 to 3.0.1.b08-redhat-00003 JBEAP-17386 - [GSS](7.2.z) Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00009 JBEAP-17683 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.17.Final-redhat-00001 JBEAP-17963 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.14.Final-redhat-00001 to 5.3.15.Final-redhat-00001 JBEAP-18008 - [GSS](7.2.z) Upgrade Woodstox from 5.0.3.redhat-1 to 6.0.3.redhat-00001 JBEAP-18150 - Tracker bug for the EAP 7.2.7 release for RHEL-6 JBEAP-18160 - [GSS](7.2.z) Upgrade wildfly-http-client from 1.0.18.Final-redhat-00001 to 1.0.20.Final-redhat-00001 JBEAP-18164 - [GSS](7.2.z) Upgrade HAL from 3.0.19.Final to 3.0.20.Final JBEAP-18220 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00011 JBEAP-18274 - (7.2.z) Upgrade IronJacamar from 1.4.18.Final to 1.4.20.Final JBEAP-18284 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.21 to 6.0.23 JBEAP-18292 - (7.2.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10 JBEAP-18318 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.28.Final JBEAP-18327 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00004 to 2.3.5.SP3-redhat-00005 JBEAP-18404 - [GSS](7.2.z) Upgrade Infinispan from 9.3.7.Final-redhat-00001 to 9.3.8.Final-redhat-00001 JBEAP-18437 - (7.2.z) Upgrade wildfly-transaction-client from 1.1.8.Final-redhat-00001 to 1.1.9.Final-redhat-00001 JBEAP-18504 - [GSS](7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012 JBEAP-18699 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.23 to 6.0.24 7. Package List: Red Hat JBoss EAP 7.2 for RHEL 6 Server: Source: eap7-activemq-artemis-2.9.0-2.redhat_00009.1.el6eap.src.rpm eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.el6eap.src.rpm eap7-glassfish-el-3.0.1-4.b08_redhat_00003.1.el6eap.src.rpm eap7-glassfish-jaxb-2.3.3-4.b02_redhat_00001.1.el6eap.src.rpm eap7-glassfish-jsf-2.3.5-7.SP3_redhat_00005.1.el6eap.src.rpm eap7-hal-console-3.0.20-1.Final_redhat_00001.1.el6eap.src.rpm eap7-hibernate-5.3.15-1.Final_redhat_00001.1.el6eap.src.rpm eap7-infinispan-9.3.8-1.Final_redhat_00001.1.el6eap.src.rpm eap7-ironjacamar-1.4.20-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jackson-databind-2.9.10.2-1.redhat_00001.1.el6eap.src.rpm eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el6eap.src.rpm eap7-jboss-ejb-client-4.0.28-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-remoting-5.0.17-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-server-migration-1.3.1-8.Final_redhat_00009.1.el6eap.src.rpm eap7-picketlink-bindings-2.5.5-23.SP12_redhat_00012.1.el6eap.src.rpm eap7-stax2-api-4.2.0-1.redhat_00001.1.el6eap.src.rpm eap7-sun-istack-commons-3.0.10-1.redhat_00001.1.el6eap.src.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el6eap.src.rpm eap7-wildfly-7.2.7-4.GA_redhat_00004.1.el6eap.src.rpm eap7-wildfly-http-client-1.0.20-1.Final_redhat_00001.1.el6eap.src.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el6eap.src.rpm eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el6eap.src.rpm eap7-wildfly-transaction-client-1.1.9-1.Final_redhat_00001.1.el6eap.src.rpm eap7-woodstox-core-6.0.3-1.redhat_00001.1.el6eap.src.rpm eap7-xml-security-2.1.4-1.redhat_00001.1.el6eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-2.redhat_00009.1.el6eap.noarch.rpm eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.el6eap.noarch.rpm eap7-codemodel-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-glassfish-el-3.0.1-4.b08_redhat_00003.1.el6eap.noarch.rpm eap7-glassfish-el-impl-3.0.1-4.b08_redhat_00003.1.el6eap.noarch.rpm eap7-glassfish-jaxb-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-glassfish-jsf-2.3.5-7.SP3_redhat_00005.1.el6eap.noarch.rpm eap7-hal-console-3.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-5.3.15-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-core-5.3.15-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-entitymanager-5.3.15-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-envers-5.3.15-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-java8-5.3.15-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-cachestore-remote-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-client-hotrod-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-commons-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-core-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.3.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-api-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-api-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-validator-1.4.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-istack-commons-runtime-3.0.10-1.redhat_00001.1.el6eap.noarch.rpm eap7-istack-commons-tools-3.0.10-1.redhat_00001.1.el6eap.noarch.rpm eap7-jackson-databind-2.9.10.2-1.redhat_00001.1.el6eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el6eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el6eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el6eap.noarch.rpm eap7-jaxb-jxc-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-jaxb-runtime-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-jaxb-xjc-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-ejb-client-4.0.28-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-remoting-5.0.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-server-migration-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-cli-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-core-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el6eap.noarch.rpm eap7-picketlink-bindings-2.5.5-23.SP12_redhat_00012.1.el6eap.noarch.rpm eap7-picketlink-wildfly8-2.5.5-23.SP12_redhat_00012.1.el6eap.noarch.rpm eap7-relaxng-datatype-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-rngom-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-stax2-api-4.2.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-sun-istack-commons-3.0.10-1.redhat_00001.1.el6eap.noarch.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el6eap.noarch.rpm eap7-txw2-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-7.2.7-4.GA_redhat_00004.1.el6eap.noarch.rpm eap7-wildfly-http-client-common-1.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-javadocs-7.2.7-4.GA_redhat_00004.1.el6eap.noarch.rpm eap7-wildfly-modules-7.2.7-4.GA_redhat_00004.1.el6eap.noarch.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-transaction-client-1.1.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-woodstox-core-6.0.3-1.redhat_00001.1.el6eap.noarch.rpm eap7-xml-security-2.1.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-xsom-2.3.3-4.b02_redhat_00001.1.el6eap.noarch.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el6eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.9-2.SP03_redhat_00001.1.el6eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-12400 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmpsgtzjgjWX9erEAQgwmg//Qa3jG/PWPovrJViyIBtpDIly8eR+ijyn u3zQvWUVVkEuSPwlGnpEA20TyYKv9bq21zHD27fN2Hw6g/adjKLuHEvj8IFHld0B DGKYMKe0jCnguOYAY2XNcm5KatswGBcz9sE+YgIY2eRnH6BjqrGCPfQmYyeRPknL 5FVYDeBJBJ45LnY29YDcyMCV1Nayo04T0m9yjN8QZMSXwwFekr9h/KUU62DgvDom x319qd3OjXSnDXs4veu9/g29E4vvCiX0zZPBSc8eu633sRaV6bq/pT3HrCKS5snu rnosy3n34qO2k748BvicxSDFHEFmn15oVhRa5+d4advdLPfqJpjdoJOHhEdd6UL0 8mqJrwnnZVF0s2R7ePWbpNBraW1GgBdVQO05GWkW5DmnSNZ19R3PNdpD4n9tTkNC veU0PTCBFj5f/xp22b39U/LXNnHJ8WmkS5UVe3MJZnch1RgnqBowb93n1GAG3Noa Pm+iCG7HMFfPjT8dVEtl7xVkPkiEs6LZsUx04DgkN2vu6DH/0LkxE1DI3GmzopMg NRv5xT/KGjDrShiF7OUcbUimHCbNm80nAMMzCgGsxJF0V8zCpzO4ue1QRNM/NtMQ 9THT2Qu2kj5zxsB/8fxMc6w2PpkBvCjC891hC//JK3HurQEoSui9Eh+dIiA4RvP5 AvoeS3fPQLw= =NH/6 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 7 security update Advisory ID: RHSA-2020:0805-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0805 Issue date: 2020-03-12 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-10086 CVE-2019-12400 CVE-2019-14887 CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.2 for RHEL 7 Server - noarch, x86_64 3. Description: This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * netty: HTTP request smuggling (CVE-2019-20444) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-16051 - [GSS](7.2.z) Upgrade javax.el-impl from 3.0.1.b08-redhat-1 to 3.0.1.b08-redhat-00003 JBEAP-17386 - [GSS](7.2.z) Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00009 JBEAP-17683 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.17.Final-redhat-00001 JBEAP-17963 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.14.Final-redhat-00001 to 5.3.15.Final-redhat-00001 JBEAP-18008 - [GSS](7.2.z) Upgrade Woodstox from 5.0.3.redhat-1 to 6.0.3.redhat-00001 JBEAP-18151 - Tracker bug for the EAP 7.2.7 release for RHEL-7 JBEAP-18160 - [GSS](7.2.z) Upgrade wildfly-http-client from 1.0.18.Final-redhat-00001 to 1.0.20.Final-redhat-00001 JBEAP-18164 - [GSS](7.2.z) Upgrade HAL from 3.0.19.Final to 3.0.20.Final JBEAP-18220 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00011 JBEAP-18274 - (7.2.z) Upgrade IronJacamar from 1.4.18.Final to 1.4.20.Final JBEAP-18284 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.21 to 6.0.23 JBEAP-18292 - (7.2.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10 JBEAP-18318 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.28.Final JBEAP-18327 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00004 to 2.3.5.SP3-redhat-00005 JBEAP-18404 - [GSS](7.2.z) Upgrade Infinispan from 9.3.7.Final-redhat-00001 to 9.3.8.Final-redhat-00001 JBEAP-18437 - (7.2.z) Upgrade wildfly-transaction-client from 1.1.8.Final-redhat-00001 to 1.1.9.Final-redhat-00001 JBEAP-18504 - [GSS](7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012 JBEAP-18699 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.23 to 6.0.24 7. Package List: Red Hat JBoss EAP 7.2 for RHEL 7 Server: Source: eap7-activemq-artemis-2.9.0-2.redhat_00009.1.el7eap.src.rpm eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.el7eap.src.rpm eap7-glassfish-el-3.0.1-4.b08_redhat_00003.1.el7eap.src.rpm eap7-glassfish-jaxb-2.3.3-4.b02_redhat_00001.1.el7eap.src.rpm eap7-glassfish-jsf-2.3.5-7.SP3_redhat_00005.1.el7eap.src.rpm eap7-hal-console-3.0.20-1.Final_redhat_00001.1.el7eap.src.rpm eap7-hibernate-5.3.15-1.Final_redhat_00001.1.el7eap.src.rpm eap7-infinispan-9.3.8-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ironjacamar-1.4.20-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jackson-databind-2.9.10.2-1.redhat_00001.1.el7eap.src.rpm eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el7eap.src.rpm eap7-jboss-ejb-client-4.0.28-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-remoting-5.0.17-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.3.1-8.Final_redhat_00009.1.el7eap.src.rpm eap7-picketlink-bindings-2.5.5-23.SP12_redhat_00012.1.el7eap.src.rpm eap7-stax2-api-4.2.0-1.redhat_00001.1.el7eap.src.rpm eap7-sun-istack-commons-3.0.10-1.redhat_00001.1.el7eap.src.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el7eap.src.rpm eap7-wildfly-7.2.7-4.GA_redhat_00004.1.el7eap.src.rpm eap7-wildfly-http-client-1.0.20-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el7eap.src.rpm eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el7eap.src.rpm eap7-wildfly-transaction-client-1.1.9-1.Final_redhat_00001.1.el7eap.src.rpm eap7-woodstox-core-6.0.3-1.redhat_00001.1.el7eap.src.rpm eap7-xml-security-2.1.4-1.redhat_00001.1.el7eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-2.redhat_00009.1.el7eap.noarch.rpm eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.el7eap.noarch.rpm eap7-codemodel-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-glassfish-el-3.0.1-4.b08_redhat_00003.1.el7eap.noarch.rpm eap7-glassfish-el-impl-3.0.1-4.b08_redhat_00003.1.el7eap.noarch.rpm eap7-glassfish-jaxb-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-glassfish-jsf-2.3.5-7.SP3_redhat_00005.1.el7eap.noarch.rpm eap7-hal-console-3.0.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-5.3.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-core-5.3.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-entitymanager-5.3.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-envers-5.3.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-java8-5.3.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-remote-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-client-hotrod-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-commons-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-core-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.3.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-api-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-api-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-validator-1.4.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-istack-commons-runtime-3.0.10-1.redhat_00001.1.el7eap.noarch.rpm eap7-istack-commons-tools-3.0.10-1.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-databind-2.9.10.2-1.redhat_00001.1.el7eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-jaxb-jxc-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-jaxb-runtime-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-jaxb-xjc-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-ejb-client-4.0.28-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-remoting-5.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el7eap.noarch.rpm eap7-picketlink-bindings-2.5.5-23.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-picketlink-wildfly8-2.5.5-23.SP12_redhat_00012.1.el7eap.noarch.rpm eap7-relaxng-datatype-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-rngom-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-stax2-api-4.2.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-sun-istack-commons-3.0.10-1.redhat_00001.1.el7eap.noarch.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el7eap.noarch.rpm eap7-txw2-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.2.7-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.0.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.20-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.2.7-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.2.7-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.2.7-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-modules-7.2.7-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-transaction-client-1.1.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-woodstox-core-6.0.3-1.redhat_00001.1.el7eap.noarch.rpm eap7-xml-security-2.1.4-1.redhat_00001.1.el7eap.noarch.rpm eap7-xsom-2.3.3-4.b02_redhat_00001.1.el7eap.noarch.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el7eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.9-2.SP03_redhat_00001.1.el7eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-12400 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmpsd9zjgjWX9erEAQiQSg//TglqDCNJpUNOr36DEOGhxNMcBgRZFRho U1Tb+Xf0KSLyg9IDdAdSrIFFuVLYseVSvxDiwwHnaX6+zdyJIgqdEaDrHLp7ABnQ ZMG5HzTpmYBbSNVcHCFCTvjwg9AMAi13WpBY+aqolLS42JHKSQLKLUb70tdE/c71 S9kpI2nPg2XrrssxE78SUZVaa0SLWvb73qMQgHpfAf1hw8XErZUYXhUgSIZTghBN HEV4tFwOT90bVP6Ujs20fuPhXmiMP/ERo4yM92oEb2y6zf1GlJ4Vvz8MyGTiIgmo 0/HrTSJWoo8YtXfVJZwEZdNYnt/IimLqQhalAXKBr3R4hZ4PSyb17wStMHC/AO6k VkFRB9NYQ7a/NFwVI2h1tdkgZsq7TjZQIgLcv6IXOFFVddsUUzZl4JcGSSMQ+SN8 PjdegJmQlkL4ajqwndCOSX3GvAHOoqy9s0KS/LcXeiwx/zfYBST5yn+qY3I2BnwN rQdadudfAWP5xxAGOBYGXr5uudGgPNdG5FyweAhiZa8LyqoJWfonFtk494yy1Z7Z RWBVCoUYVkUfGVVXNu4YYk1++o2FGPUxQ6OBKIbZQWRr6hsFf86EDUuHM9SI/b46 F9vLB02Zp0gz31VDAp3Eg1Tu0Y6VpQUETTQ573Vh+VhPXQqv8kJ8gi5tpyVguTwT ZP6uG/uszOI= =EVx1 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 on RHEL 8 security update Advisory ID: RHSA-2020:0806-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0806 Issue date: 2020-03-12 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-10086 CVE-2019-12400 CVE-2019-14887 CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.2 for RHEL 8 - noarch, x86_64 3. Description: This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * netty: HTTP request smuggling (CVE-2019-20444) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-16051 - [GSS](7.2.z) Upgrade javax.el-impl from 3.0.1.b08-redhat-1 to 3.0.1.b08-redhat-00003 JBEAP-17386 - [GSS](7.2.z) Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00009 JBEAP-17683 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.17.Final-redhat-00001 JBEAP-17963 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.14.Final-redhat-00001 to 5.3.15.Final-redhat-00001 JBEAP-18008 - [GSS](7.2.z) Upgrade Woodstox from 5.0.3.redhat-1 to 6.0.3.redhat-00001 JBEAP-18152 - Tracker bug for the EAP 7.2.7 release for RHEL-8 JBEAP-18160 - [GSS](7.2.z) Upgrade wildfly-http-client from 1.0.18.Final-redhat-00001 to 1.0.20.Final-redhat-00001 JBEAP-18164 - [GSS](7.2.z) Upgrade HAL from 3.0.19.Final to 3.0.20.Final JBEAP-18220 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00011 JBEAP-18274 - (7.2.z) Upgrade IronJacamar from 1.4.18.Final to 1.4.20.Final JBEAP-18284 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.21 to 6.0.23 JBEAP-18292 - (7.2.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10 JBEAP-18318 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.28.Final JBEAP-18327 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00004 to 2.3.5.SP3-redhat-00005 JBEAP-18404 - [GSS](7.2.z) Upgrade Infinispan from 9.3.7.Final-redhat-00001 to 9.3.8.Final-redhat-00001 JBEAP-18437 - (7.2.z) Upgrade wildfly-transaction-client from 1.1.8.Final-redhat-00001 to 1.1.9.Final-redhat-00001 JBEAP-18504 - [GSS](7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012 JBEAP-18699 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.23 to 6.0.24 7. Package List: Red Hat JBoss EAP 7.2 for RHEL 8: Source: eap7-activemq-artemis-2.9.0-2.redhat_00009.1.el8eap.src.rpm eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.el8eap.src.rpm eap7-glassfish-el-3.0.1-4.b08_redhat_00003.1.el8eap.src.rpm eap7-glassfish-jaxb-2.3.3-4.b02_redhat_00001.1.el8eap.src.rpm eap7-glassfish-jsf-2.3.5-7.SP3_redhat_00005.1.el8eap.src.rpm eap7-hal-console-3.0.20-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.15-1.Final_redhat_00001.1.el8eap.src.rpm eap7-infinispan-9.3.8-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ironjacamar-1.4.20-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jackson-databind-2.9.10.2-1.redhat_00001.1.el8eap.src.rpm eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el8eap.src.rpm eap7-jboss-ejb-client-4.0.28-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-remoting-5.0.17-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.3.1-8.Final_redhat_00009.1.el8eap.src.rpm eap7-picketlink-bindings-2.5.5-23.SP12_redhat_00012.1.el8eap.src.rpm eap7-stax2-api-4.2.0-1.redhat_00001.1.el8eap.src.rpm eap7-sun-istack-commons-3.0.10-1.redhat_00001.1.el8eap.src.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el8eap.src.rpm eap7-wildfly-7.2.7-4.GA_redhat_00004.1.el8eap.src.rpm eap7-wildfly-http-client-1.0.20-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el8eap.src.rpm eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el8eap.src.rpm eap7-wildfly-transaction-client-1.1.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-woodstox-core-6.0.3-1.redhat_00001.1.el8eap.src.rpm eap7-xml-security-2.1.4-1.redhat_00001.1.el8eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-2.redhat_00009.1.el8eap.noarch.rpm eap7-apache-commons-beanutils-1.9.4-1.redhat_00002.1.el8eap.noarch.rpm eap7-codemodel-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-glassfish-el-3.0.1-4.b08_redhat_00003.1.el8eap.noarch.rpm eap7-glassfish-el-impl-3.0.1-4.b08_redhat_00003.1.el8eap.noarch.rpm eap7-glassfish-jaxb-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-glassfish-jsf-2.3.5-7.SP3_redhat_00005.1.el8eap.noarch.rpm eap7-hal-console-3.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.3.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-api-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-api-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-validator-1.4.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-istack-commons-runtime-3.0.10-1.redhat_00001.1.el8eap.noarch.rpm eap7-istack-commons-tools-3.0.10-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-databind-2.9.10.2-1.redhat_00001.1.el8eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-0.34.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-core-0.34.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-jaegertracing-jaeger-client-java-thrift-0.34.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-jaxb-jxc-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-jaxb-runtime-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-jaxb-xjc-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-ejb-client-4.0.28-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-remoting-5.0.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-8.Final_redhat_00009.1.el8eap.noarch.rpm eap7-picketlink-bindings-2.5.5-23.SP12_redhat_00012.1.el8eap.noarch.rpm eap7-picketlink-wildfly8-2.5.5-23.SP12_redhat_00012.1.el8eap.noarch.rpm eap7-relaxng-datatype-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-rngom-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-stax2-api-4.2.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-sun-istack-commons-3.0.10-1.redhat_00001.1.el8eap.noarch.rpm eap7-thrift-0.13.0-1.redhat_00002.1.el8eap.noarch.rpm eap7-txw2-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.2.7-4.GA_redhat_00004.1.el8eap.noarch.rpm eap7-wildfly-http-client-common-1.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.2.7-4.GA_redhat_00004.1.el8eap.noarch.rpm eap7-wildfly-modules-7.2.7-4.GA_redhat_00004.1.el8eap.noarch.rpm eap7-wildfly-openssl-1.0.9-2.SP03_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-openssl-java-1.0.9-2.SP03_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-transaction-client-1.1.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-woodstox-core-6.0.3-1.redhat_00001.1.el8eap.noarch.rpm eap7-xml-security-2.1.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-xsom-2.3.3-4.b02_redhat_00001.1.el8eap.noarch.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.9-2.SP03_redhat_00001.1.el8eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.9-2.SP03_redhat_00001.1.el8eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-12400 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmprS9zjgjWX9erEAQhjow//QoZZte4Lbveu/ziHJN8NShSRUHQXJnwE TFRXpDFOpr49zEXXTl5VxjEFyWQ1qetdVGvEmNSR3WJDrL8MXj5iuntFMmvfRG8m Ih3EvqLT4yUPbd8tKAoxdjdHPuyo4G32cl0YagBWpDlrvZe0daHfLpUUag/wTOqY 5Bck4QKTKSAwEFIayUwHn0+cfbmTQNUJwHKhWK97ehPd0aHGKuyhOkTxk8CzbhgZ nPFvZoDeTL5V3HDAhEJot0MwAuqcY2efoKWfi5bsObtSR+TE+xyXF78KTTuciGwM dAnt4fPRr9eZ5nEMAmoCEd/nplJCjhVW7TQoLQd9+vBEoFT/1w7P/eM17DB1iUAc CRVOCWQcJJJIRNRNuosBn3R6OQNzzWi/OjY12kI1rC38yK/cJl95zsBZaOU5DMQ4 FUgi3ZgcvJggPeSWFdzlVXr69OKCghXgLEghGZQYKmWdEKombZE5ha4/F0eWkzEE TBSllPJwL9ORiaa90KtW7wwgwp+2mlDpkFrTmbm1qwmFKX2YS/RIxXV3SNg2WWGa Qzt/khUsiRB/JyAJgFmn9IYi7dY0Bj9O3vhr1vx/JqzwE6zZ/9+y4YVTiGucJG/u S1QUnJ/x7HoqIloq3JtQUlN3zR9zH534u0CBKWS53KiIn/dpdZjRSXqhXpWVNIJQ tTV2dUZiFbY= =tEfP - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.7 security update Advisory ID: RHSA-2020:0811-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0811 Issue date: 2020-03-12 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-10086 CVE-2019-12400 CVE-2019-14887 CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * netty: HTTP request smuggling (CVE-2019-20444) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling 5. JIRA issues fixed (https://issues.jboss.org/): JBEAP-16051 - [GSS](7.2.z) Upgrade javax.el-impl from 3.0.1.b08-redhat-1 to 3.0.1.b08-redhat-00003 JBEAP-17386 - [GSS](7.2.z) Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00009 JBEAP-17683 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.17.Final-redhat-00001 JBEAP-17963 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.14.Final-redhat-00001 to 5.3.15.Final-redhat-00001 JBEAP-18008 - [GSS](7.2.z) Upgrade Woodstox from 5.0.3.redhat-1 to 6.0.3.redhat-00001 JBEAP-18160 - [GSS](7.2.z) Upgrade wildfly-http-client from 1.0.18.Final-redhat-00001 to 1.0.20.Final-redhat-00001 JBEAP-18164 - [GSS](7.2.z) Upgrade HAL from 3.0.19.Final to 3.0.20.Final JBEAP-18220 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00011 JBEAP-18274 - (7.2.z) Upgrade IronJacamar from 1.4.18.Final to 1.4.20.Final JBEAP-18284 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.21 to 6.0.23 JBEAP-18292 - (7.2.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10 JBEAP-18318 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.28.Final JBEAP-18327 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00004 to 2.3.5.SP3-redhat-00005 JBEAP-18404 - [GSS](7.2.z) Upgrade Infinispan from 9.3.7.Final-redhat-00001 to 9.3.8.Final-redhat-00001 JBEAP-18437 - (7.2.z) Upgrade wildfly-transaction-client from 1.1.8.Final-redhat-00001 to 1.1.9.Final-redhat-00001 JBEAP-18504 - [GSS](7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012 JBEAP-18699 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.23 to 6.0.24 6. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-12400 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.2 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXmpq0tzjgjWX9erEAQgD1A//fPta8PQ2Tffo1GA2OwV1HLeYE1Zeu1yl lOQA1r3bp7lBwZcATNkD1KmMCN+9MVf14MzRg/4LBbECZokif4mNnAoaHWdJFkvO /ScZCF96l3PJN0TYjpZ6RYPQYxn9wnao2/x1/JgsXw9kNBXhu5lwtZpx7xSNO2v8 5WSOg6jJ7380OGevarqarZ7Im37QHz3bdgtPcoTI0oxaNDFm5gTk4OCu5i7iqPWc ZG/hIQj7p8mGdARSaR4RWiimkaH1jn68eb1dhL7JqFmZOFUhr/y/pKMGAd0f7uzP OhOxmTzrMKNfmJcOHpmH+y6P23CbffEr69K+MiwDguqUL/NY1kEdOxEr0MeZeC0P zYQM8RtKMQamcZiqnru9XBJ4+jCIJumw6zql+VbXj81wiy3D2qz66mlsAksRtUtu gdOuDiBQkUpBLWZPQaPCR5EQpo7Yj9REb9fQOoRG4Qw6A+Qv7NpdtMggvNfnBUOr G+V0wGiynxIUt7tMcTPAQdC0H6d/ZGIjBsTqkga0ruMLpOc5Msn/qyHSWf0QKiq3 +J9s/3/tt6VjRZr5mgDqhkCOdIJNtAjHZf/miznk8bYAl5htWJz/dJHDm8X2okJ+ xOepWX7u/8Y8crwlzlfNJoLWtaLlzDrUpM1ajb7OUA9TVwhpcwjwTTgupxYktfos 8z/GptbnP6M= =BbNd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXmr9ymaOgq3Tt24GAQj0yBAA0qQaNJkQl8pccRcU4snbuoySn48Onouo C69aeWsIrY/TVRKDUR6EeW3yAVvcPL77Abyskoq0wWW6n+G7w41R3Z2fPuBxgG+S 3lv/uff/DoxnK59ZtghbqtVPG+31EFH2lLJApcJwmlP3GEutPWbVVfgp8X1FmIH8 mNsKHfPuH3j4mKMBZvnXfdGc6TaJIqfBwBLAFS+aVYG70p9INVj3Z7bM1izuO7Fu QWjVsVhv7CWOAk8fyNr+WBonN2P8pAufFx5XF1ayDffhU6vWuW5RmaUuDTCd3QR6 aH9xIIABhUTpO9B3nkNt144l3PnkOqBGAEpdnRsQhW4qFAanENAfFhuWsWcEAywp EhgqIY36NVi3N3lK/6jGagirmsvFe1lBICiBdEt3STSKEMbcpnL2pEqUdTeeSuE4 n3bz1uLrKsnxfAuqZpog8smvChhe+jlgEjNYmKBhyCx0FMxPksJHaFZij2u3oJSz SB89HT4CKncJ7CI/2TOsklMceWxphfhYtSd7YEp4j4jyncU2ajMyQOaJTKpKri9l kKRdnFzu4hBvj+hNDNxOv0GmWkzLKUtFPOj0gPlqzCPJ5q/RSf8Cup5eJ1E7159m mMxMs7qX6jFB1QuMXTsBXh1oC5LAuUgZ2p+1VIPrc5Ni8lBqODjtm1BOX4vSCz8Z xadmWkyQipc= =2+vU -----END PGP SIGNATURE-----