Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2071 EAP Continuous Delivery Technical Preview security updates 16 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: EAP Continuous Delivery Technical Preview Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-11620 CVE-2020-11619 CVE-2019-19343 CVE-2019-14838 CVE-2019-9515 CVE-2019-9514 CVE-2019-9512 CVE-2019-9511 CVE-2019-3805 CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-14718 CVE-2018-10862 CVE-2018-10237 CVE-2018-8088 CVE-2018-7489 CVE-2018-1067 CVE-2017-15089 CVE-2017-12629 CVE-2017-12196 CVE-2017-12174 CVE-2017-7525 CVE-2017-7503 CVE-2017-7465 CVE-2016-4993 Reference: ASB-2019.0299 ASB-2019.0238 ESB-2020.0007 ESB-2019.4697 ESB-2019.4533 ESB-2019.3440 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2561 https://access.redhat.com/errata/RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2563 https://access.redhat.com/errata/RHSA-2020:2564 https://access.redhat.com/errata/RHSA-2020:2565 Comment: This bulletin contains five (5) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: EAP Continuous Delivery Technical Preview Release 12 security update Advisory ID: RHSA-2020:2561-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2561 Issue date: 2020-06-15 CVE Names: CVE-2017-12174 CVE-2017-12196 CVE-2017-12629 CVE-2017-15089 CVE-2018-8088 ===================================================================== 1. Summary: This is a security update for JBoss EAP Continuous Delivery 12.0. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform CD12 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD12 includes bug fixes and enhancements. Security Fix(es): * artemis: artemis/hornetq: memory exhaustion via UDP and JGroups discovery (CVE-2017-12174) * lucene: Solr: Code execution via entity expansion (CVE-2017-12629) * infinispan-core: infinispan: Unsafe deserialization of malicious object injected into data cache (CVE-2017-15089) * slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088) * elytron: client can use bogus uri in digest authentication (CVE-2017-12196) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. The References section of this erratum contains a download link (you must log in to download the update) 4. Bugs fixed (https://bugzilla.redhat.com/): 1498378 - CVE-2017-12174 artemis/hornetq: memory exhaustion via UDP and JGroups discovery 1501529 - CVE-2017-12629 Solr: Code execution via entity expansion 1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication 1503610 - CVE-2017-15089 infinispan: Unsafe deserialization of malicious object injected into data cache 1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution 5. References: https://access.redhat.com/security/cve/CVE-2017-12174 https://access.redhat.com/security/cve/CVE-2017-12196 https://access.redhat.com/security/cve/CVE-2017-12629 https://access.redhat.com/security/cve/CVE-2017-15089 https://access.redhat.com/security/cve/CVE-2018-8088 https://access.redhat.com/security/updates/classification/#critical 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuerPtzjgjWX9erEAQgCkA//fN8OaspSHgLAnFgnSsHPHaOanomERmo/ KQTFe0eUohwOjqsuZRy7d7bCTgI0Dy6sPxX9C/keWiQjUId6sa7WHNdYhSfhr030 9hBEs7aqgeDFPmum+/+qSz9JzHbxrj5FMJDQlD8A07t0BkEJzQHv/5oI6Jzdm/pU Mj1uUVVlhI+GyU86UY+0Lgu6eyYbr7BtGMtBoxkwcD/SrzxaN3DWChuaia+Z7tkd YuK3EbfGI/O0go7wBBtBLZacW8phdAgHxYcUaI9JlpOMLXCqqVv0iW4cEnSifEvy hwGE70lNMZnCGN+1yaZ547eQXXeBCPjtvFnVqxJ5ipafK1IJfQU+Boq6JPC4Wp4A bOxC5vg9wTZr49PrtvcGY/+0/IGNxUVsbvqxpM+Lp8cN3kLNG1sxPjv34y1WUU/Z B85ydHw/HM34GH6VJhRFN4DnDckdR5Z61uyVYGPUOCFN0ujUrN3mE5doQz1Ob3tR gVDtmj6f59jHJjO6e5rXwbGK70JkjtHAWDn9ysoGGz/CvqXMAvNzwZgb2ALmL+EW ylfwlse4zwqaShFKhai6R0buhTZVi25IwuPRotWKZf+Bd5kLqBgaSwTkULKBh5Dl Wobbg6qBbD38NQEhkbLEJs4vMti9pl8aqN5UH4zpbgsZRn8Tx0j44TePjrGSVsLi 6aRRuqm1Oag= =OQYb - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: EAP Continuous Delivery Technical Preview Release 13 security update Advisory ID: RHSA-2020:2562-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2562 Issue date: 2020-06-15 CVE Names: CVE-2017-12196 CVE-2018-1067 CVE-2018-7489 CVE-2018-10237 CVE-2018-10862 ===================================================================== 1. Summary: This is a security update for JBoss EAP Continuous Delivery 13.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform CD13 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD13 includes bug fixes and enhancements. Security Fix(es): * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067) * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489) * wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862) * undertow: client can use bogus uri in digest authentication (CVE-2017-12196) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. The References section of this erratum contains a download link (you must log in to download the update) 4. Bugs fixed (https://bugzilla.redhat.com/): 1503055 - CVE-2017-12196 undertow: Client can use bogus uri in Digest authentication 1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries 1550671 - CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) 1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service 1593527 - CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) 5. JIRA issues fixed (https://issues.jboss.org/): JBEAP-14581 - (CD12) Upgrade FasterXML Jackson from 2.9.4.redhat-1 to 2.9.5.redhat-1 6. References: https://access.redhat.com/security/cve/CVE-2017-12196 https://access.redhat.com/security/cve/CVE-2018-1067 https://access.redhat.com/security/cve/CVE-2018-7489 https://access.redhat.com/security/cve/CVE-2018-10237 https://access.redhat.com/security/cve/CVE-2018-10862 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXueq+dzjgjWX9erEAQiiGhAAm99iamjB393vNNXKPha67z0GDrakMYUG Zipx58R9rg2yEvj7xnaMFIQTuyuXbMTQHpUiHRSHN0eTs6Ua1ePuK7tHfTedCZuP IKRw9t0RDJvNi5eNAtOFKbg8oTB9vu0mF9OhI0A79vm+WdqCAk1GUhhsvPbqkuN3 yQCis3UgovidI/JILZMfT6WBowgk7TObzaY5fMMdjxLR9qwxkGjiYA9K/VBfv8AM 5THHlMSRrbhS2OueCQm8/dD9K21UHES0AqHCctdwO5FXH0wjfgLZhpAQV4APnlAG QUbHA4NwIcPhhsENRMGbJJGnZfI6fHnPJ7VRApbLDT+DJYwWAFEn0mMkbOTXw8xJ KtbxSSRstON53l7jpFGCsdCf63hFzuMZKWA5fuYlDLBjkjhSYe2JCxEgRHuEsoES c//lCdzWWXAVbcwpdBEiIHU1DM9eTcjLGV30QY5/+OozzWEPVmqZhcNvGPV+IUOh jXbGeLEUDCbX8KgLVTowsF0VVIyzpG3LsbhMvd9MMBfmQ1FExLCqYm56q302RIx4 DGJ8oJbjo//Kb7QjXcxS6I51Ljop5oAyzyvvw5ttDuIOCXMLItlKM+Iv/WrgJkok zydM2lSEjlA1Ng6dR4UUC3wJ8Pv6C7XGrjsNiXFhrf6vpr+moFKvQrLMiq8uNkzz b/QhNUPU+iU= =dP46 - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: EAP Continuous Delivery Technical Preview Release 14 security update Advisory ID: RHSA-2020:2563-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2563 Issue date: 2020-06-15 CVE Names: CVE-2017-7465 CVE-2017-7503 ===================================================================== 1. Summary: This is a security update for JBoss EAP Continuous Delivery 14.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform CD14 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD14 includes bug fixes and enhancements. Security Fix(es): * XML Frameworks: JBoss: JAXP in EAP 7.0 allows RCE via XSL (CVE-2017-7465) * XML Frameworks: TransformerFactory in JBoss EAP 7 is vulnerable to XXE (CVE-2017-7503) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. The References section of this erratum contains a download link (you must log in to download the update) 4. Bugs fixed (https://bugzilla.redhat.com/): 1439980 - CVE-2017-7465 JBoss: JAXP in EAP 7.0 allows RCE via XSL 1451960 - CVE-2017-7503 EAP: XXE issue in TransformerFactory 5. References: https://access.redhat.com/security/cve/CVE-2017-7465 https://access.redhat.com/security/cve/CVE-2017-7503 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=eap-cd&version=14 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuefhdzjgjWX9erEAQhAlxAAmBc/npuEUSQ+mINPSy7w/B4E4A84TCdF b0Hp05Kaz1rIcwS7kBeuspKNPIwckTmTlXwRrwMlUBVxCyxzZWItWRtM+yBeWwLJ tbtDmVrZtJ81ZTiduS7W96r9f4QtmoDH0a9vsaFZq3SdATELq49O204T+PSTebqu VgoTnDY7FzXickAOUl7JMTP2IupjlSdUe4FG+kHOL1qZqKPFXSOJEtv4gLTa0Wwp JcwnA/oj2yd2c1kuNXR1+49oBGutgipB5SSLVO6LCwAzEBvDWxg+NtiInONqT5Fm rcw3hJpWojW6k3U3a5XHMy9yUmCuNKfrHe+V/A1XotBexopDRoExpQNgAPH0a8A1 iuuCMWLvXkgYd8lfxt9ai5VVE+1lhl1f4GyWsKmO96EeNU2BxbzI21N+rtqWaOJf MNheQs1zrLHFbDCC6ZRSozZfzQFivkYq1FrPcYKnBR+wRHdkVrkq/2cIpV1r75tW OSL7HNSb+JRMflTuNIidQSIloXCCO5724McepOte48QhPOxIHyFuQS4974BB/4D+ TmeCkKyuqvcGOGgswYjo9ukMapoox/3ypAyV4NUBqJxqUsBgzR3ybd/rRObRajjt 68aGXoIprM0etxHYXkJhWlvV6rvku7vyELVgK1R/S03WMbkTAD/uzTPZaEjuF5GV a2DmpK7QXIU= =vXbI - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: EAP Continuous Delivery Technical Preview Release 16 security update Advisory ID: RHSA-2020:2564-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2564 Issue date: 2020-06-15 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 ===================================================================== 1. Summary: This is a security update for JBoss EAP Continuous Delivery 16.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform CD16 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD16 includes bug fixes and enhancements. Security Fix(es): * jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721) * jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719) * jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720) * jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362) * jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360) * jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361) * jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. The References section of this erratum contains a download link (you must log in to download the update) 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 5. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXueqxdzjgjWX9erEAQgwCA//ZwbtBt/RaVyCEfmNxSoEaXff9lQ1udLD iMuq9a4MloE+4mfqibyAJLFCr4puqeIcfIR1jwbLUsSPCV2enlo08xAkmtU8d6/0 DADRcFxt93eAZBd8hbm1GP4fAI0y8c/PvevuO5n6mkf0fw0LO3wY5EnpvF673oHz yUjgjgi/v6jTk8LqhOW5gNDDbOyRj7brLHE3t3WFFBE1Osu5fD2g3+yjNk+ONMFK sEvErBebBHhOH1OSwCVSWDVa+OYAeKWua5mH9UiILD2sWqyMY0x+4JcDQMsR4S2m QgEunCBlZrD4RxAJcW4PWeEmTBbt8VAyXG6PlnmMEVYlDIpHAAcDepU2dOBompWZ H8jGzMxHmmrjeMyVls6poAuIK0Rro8W/fSEHbHH4SRuO0E59FLGx5WD2lhgnQ9l8 Q0IUXiGdB+MtD8njwGEqRlnZ8Ipfmsgauoe32n0fvQfQPUXAf9GP4+OcYkl72kXr 2ilC1YmbGwUyA3vXekHAQ4spWUd83B++sFknoG/0KmgRNnCMwXjkYT3tjiJaz56U afl9fBmXV/CKvL0A1KgzML8h8/aGu/IF1tpuDx+xwR9bJdn0fvN/Yi7FaPqcvn53 bwZ64TxYseGNPDpcUbr6qFiEzeNS9h9Vn3JwmbMYY20qytMr1K5ZZcWw2YbdwOG0 Lo4jPNpH0Hw= =WCi+ - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: EAP Continuous Delivery Technical Preview Release 18 security update Advisory ID: RHSA-2020:2565-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2565 Issue date: 2020-06-15 CVE Names: CVE-2019-3805 CVE-2019-9511 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-14838 CVE-2019-19343 CVE-2020-11619 CVE-2020-11620 ===================================================================== 1. Summary: This is a security update for JBoss EAP Continuous Delivery 18.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform CD18 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD18 includes bug fixes and enhancements. Security Fix(es): * jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619) * jackson-databind: Serialization gadgets in commons-jelly:commons-jelly (CVE-2020-11620) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) * undertow: HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511) * undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * undertow: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838) * undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. The References section of this erratum contains a download link (you must log in to download the update) 4. Bugs fixed (https://bugzilla.redhat.com/): 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service 1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default 1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely 1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly 1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop 5. References: https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-9511 https://access.redhat.com/security/cve/CVE-2019-9512 https://access.redhat.com/security/cve/CVE-2019-9514 https://access.redhat.com/security/cve/CVE-2019-9515 https://access.redhat.com/security/cve/CVE-2019-14838 https://access.redhat.com/security/cve/CVE-2019-19343 https://access.redhat.com/security/cve/CVE-2020-11619 https://access.redhat.com/security/cve/CVE-2020-11620 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXueq39zjgjWX9erEAQiVvw//WMAI8AuJgNj6ocD8JJbETwuAlv3Qjc2n iZ29Nu4o7hQTR9GLyLu7f4Tcn9gzRfLUXFR4Ly0KknHTOluRcmYatf4pT1yM+1/Z MP3SyS/HScdxvoKybcz0LgzT6D5HpfkskB49QYEQNI4TnWz88fKpET/fQc/kDUGS mJ4EKGcZdYFzCHo2vuK28WCd1e612Dg2MSv7jfctJltwQQunJTsovKJdyFOaIUsV U8GdYj8TL3PlARInizUioB/UA7tReRhkg97jjzQBqQXHUfNnwr3kSMHAWrANnvGx m+1B+QLVdcT+22OvsXgdlksK4ceOleSFJ77kiIcuU9PSQ/FRArigDKrj5DQIUfjY yG7xOE0h9AlMeoQUhyWikG0ZyYJ+v+S85cquWPZZiWuXesht8XAlyYpba1sz+Tuj g/ASXhlUl9WRSAKIe6ijqNasi5vcs4kNnpcKJv4DZe+cJSLtU/QE9P7FUmXxJPuE 2MTonbkWRLtEAcOx6An0pJAQRGStqCCYd4hOP2KWcUgTe1rxbkidyq0ggo5LsRpT +03VNDjJqkTBwTVc1OPEqCZYu4aa+45NJNDPwwiuse1BW0vw41SCoRDHe7QiWNrn 27CK6VcWpjJKybVLzKxkIas6MUJISdp7KAES5NgrKo/R3V3ycZCd2RJP0Ib8oevO s+d7FrCZsfA= =ZGb7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuhD9uNLKJtyKPYoAQhS1A/9G+vOywTfcd5nQUYmGYLFEoi0K5We0xCD /5Uz2PIHyh1mqW8FH3gvD2XV03cwfbvkVWGhjPc6ULOrVYRcV7XPjIzAft1sY3jH BP1F4tWUMCNW4td1zoQwa2J5lRs1bsnZfK0HTWQIgxxfXZuTcYYJ5gm9zWitDX6D KQEIO1ZHmu/Q4e8OfHlk3YmMthwdOdnttyjg/MGMajX/SIHtpoae7qLUwBKRN261 PWnCBjOnglJgYntnrrmq6/oa2+/Y8pr9dp0lQMQHxPiHV3PnM3v/gImTeIHy3Jga M55fdx8UlvH26VLbwkCTxuzh/t0F5XQioe476xFt4WUKzVCSaTusroyGC1sIdw1j zdEp8+UVUhCUN9c62/1lMcKTG8dnZniuL5GEs43tS3kLTeA9IsbwHw6Qt88Aq2aX nUX1Erb403monnxEwlLqlmfXW3eWtxMNpIqDvIdWpJuRSTZNGUV3hVnJfgAhl65d a64xZ8geBqR601xdGJCEQtye38ayAvpT3/muu197ZPjAWoLAb3sd4NaJkE+nokfh mf64BQpmqR7ERetVXrl7Nq0I7pZBRvEbw0OfWx3YfMq7brr420ZXMrou1kmqFY6z gr5JrAUWN+45fmkHbYL2QObwHsxZHMCrw48VBdY3WVSvZM+d9/VDPf8h9er2FPF/ KPsOpRiTBdM= =aNDC -----END PGP SIGNATURE-----