Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2536 Red Hat build of Thorntail 2.7.0 security and bug fix update 24 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat build of Thorntail 2.7.0 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-10719 CVE-2020-10705 CVE-2020-10688 CVE-2020-6950 CVE-2020-1757 CVE-2020-1745 CVE-2020-1744 CVE-2020-1732 CVE-2020-1727 CVE-2020-1724 CVE-2020-1719 CVE-2020-1718 CVE-2020-1714 CVE-2020-1698 CVE-2020-1697 CVE-2020-1695 CVE-2019-17573 CVE-2019-12423 CVE-2018-14371 Reference: ESB-2020.1662 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2905 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Thorntail 2.7.0 security and bug fix update Advisory ID: RHSA-2020:2905-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2905 Issue date: 2020-07-23 CVE Names: CVE-2019-12423 CVE-2019-17573 CVE-2020-1695 CVE-2020-1697 CVE-2020-1698 CVE-2020-1714 CVE-2020-1718 CVE-2020-1719 CVE-2020-1724 CVE-2020-1727 CVE-2020-1732 CVE-2020-1744 CVE-2020-1745 CVE-2020-1757 CVE-2020-6950 CVE-2020-10688 CVE-2020-10705 CVE-2020-10719 ===================================================================== 1. Summary: An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Thorntail 2.7.0 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) * cxf: reflected XSS in the services listing page (CVE-2019-17573) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) * Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) * resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) * undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) * keycloak: stored XSS in client settings via application links (CVE-2020-1697) * keycloak: problem with privacy after user logout (CVE-2020-1724) * keycloak: Password leak by logged exception in HttpMethod class (CVE-2020-1698) * cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) * Soteria: security identity corruption across concurrent threads (CVE-2020-1732) * keycloak: missing input validation in IDP authorization URLs (CVE-2020-1727) * keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744) * keycloak: security issue on reset credential flow (CVE-2020-1718) * keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714) * RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688) * undertow: invalid HTTP request with large chunk size (CVE-2020-10719) * undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100- continue" header (CVE-2020-10705) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass 1790292 - CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class 1791538 - CVE-2020-1697 keycloak: stored XSS in client settings via application links 1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1800573 - CVE-2020-1727 keycloak: missing input validation in IDP authorization URLs 1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads 1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 5. References: https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1697 https://access.redhat.com/security/cve/CVE-2020-1698 https://access.redhat.com/security/cve/CVE-2020-1714 https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1727 https://access.redhat.com/security/cve/CVE-2020-1732 https://access.redhat.com/security/cve/CVE-2020-1744 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10705 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType= distributions&product=catRhoar.thorntail&version=2.7.0 https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/ release_notes_for_thorntail_2.7/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXxk2rdzjgjWX9erEAQjSbQ//e0FG83JQFpQV7HUEsjPMB7+tT0UgoTXQ KnfasEPEP7wnPU07lZiVW94sxhUC/hAhce1KWIR3nT3uesMO4S+7o2vmgOwax1G7 yYsG1SRX4KK5Ma7Qvyx8lM+6TN0MNNrXGvFsqcYF1pJBL/1tfZfb/ciiqjrsR0Tp v20FKuNrNmn4IPRzN04AZafOG9tXQ8XMqkJaWxh8s4dupvElG4ywmYletwYLYMxS 5X+SVmQ9TtGSgJF6HUGoL0wsTbMtdlJPRrchhbjzAi00ZY5hElVa+MOzdyCFYygv ev0iz9m0foF1bXfbJTfpzbOnz/f3uJUTKCzz+mLf3voeqbvXnzUNn74MXZQynR8G LNFVpLo0U/d0wULkSSdFjqer+IxeUWRwcl2km1U42f+0BiCb4K3uHIjhkfAdRFFQ 7K8Nl/2GfJnLywD8693xSKi/6MeCHC2HhrYb9A89lXoebX/3WXkNUC4ReGL80+fg 3z7793xt6QzV9V+WOH8NbQS4SzpAOkusHMew7sQpLxU8r9uaF1KibshjUGq/rZlA YswTjYHqNLja7kx8GDejpO/RAhMq6asm38YtFzY+Qtipe8xcAxSrTiO6FLN+Xv0M YlvsaeWblymoLwbQ5ON59VoFFe1YgzIQP0CJEbWbnJl0UHdIldAbv22e4Trnw58t ZwsJot3fnjU= =2k8f - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXxpM4ONLKJtyKPYoAQitUw//TMH6hGRlK+8N3UpvkMjuIUouFDc7YJsj 2xeS4Qy1T/VHaMdN/d5NUhb14doku+aDOdnZGhUhPWWoQOjdAkcjyi8rCBH8a4Iq yRf27fkDx7LJbivcvgDrq+vk7L7Vv76J0i4xFKAM2vLwHoA8UmkITYGL0tyze9B6 f+UiVvVcEtpp7Gta4O3bG2r6t20GbktOygiO/PtLxUyUeTmuL8QTpU6SfQs7Zoh+ JVyZ9igB8kHbUeWGobCpLsGmLBNhDEN8418LDXYVdoZCoCLdHf8rGNwJVTuu9a7m COWQvjjme+dHXBPS4Ge4/bru9P7QKhqlqW1mfeIdGrcNeJ+7+uCMhW/BSegR3/Zb m5lLFCBFjVhqxN9zoE9dNv7bynH7pYBgRnexY7rtoTVI9oYSVxo59ElKCFmErnVk WrUFW8f3KtzGZOzB8oe0IrhtwcdEfOtdpSaAU6WT4sVqh+0EiZg7z5ftM0Zvhc3B eZwsCO+gpxcE5kNIVvP/kaPkZQ2uKISsL60hgujzV+SQSOp3KzL9Rs3tORrdR9an hH9oOgyEygJ2Q9aSEV7/pops79SOsQyWM8UCMaolwcGJqMoA3cftcPn1MnwELbkk FbxfAncY7I/hT9FBDl51vM4XFg1uhQgc+meA9BCPobd4DpLOj6u5aNLEYtTchbEi mLSt7XUBfCY= =r4sn -----END PGP SIGNATURE-----