Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2536
Red Hat build of Thorntail 2.7.0 security and bug fix update
24 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat build of Thorntail 2.7.0
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-10719 CVE-2020-10705 CVE-2020-10688
CVE-2020-6950 CVE-2020-1757 CVE-2020-1745
CVE-2020-1744 CVE-2020-1732 CVE-2020-1727
CVE-2020-1724 CVE-2020-1719 CVE-2020-1718
CVE-2020-1714 CVE-2020-1698 CVE-2020-1697
CVE-2020-1695 CVE-2019-17573 CVE-2019-12423
CVE-2018-14371
Reference: ESB-2020.1662
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2905
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat build of Thorntail 2.7.0 security and bug fix update
Advisory ID: RHSA-2020:2905-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2905
Issue date: 2020-07-23
CVE Names: CVE-2019-12423 CVE-2019-17573 CVE-2020-1695
CVE-2020-1697 CVE-2020-1698 CVE-2020-1714
CVE-2020-1718 CVE-2020-1719 CVE-2020-1724
CVE-2020-1727 CVE-2020-1732 CVE-2020-1744
CVE-2020-1745 CVE-2020-1757 CVE-2020-6950
CVE-2020-10688 CVE-2020-10705 CVE-2020-10719
=====================================================================
1. Summary:
An update is now available for Red Hat build of Thorntail.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each
vulnerability. For more information, see the CVE links in the References
section.
2. Description:
This release of Red Hat build of Thorntail 2.7.0 includes security updates,
bug fixes, and enhancements. For more information, see the release notes
listed in the References section.
Security Fix(es):
* Wildfly: EJBContext principal is not popped back after invoking another
EJB using a different Security Domain (CVE-2020-1719)
* cxf: reflected XSS in the services listing page (CVE-2019-17573)
* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)
* Mojarra: Path traversal via either the loc parameter or the con
parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
* resteasy: Improper validation of response header in
MediaTypeHeaderDelegate.java class (CVE-2020-1695)
* undertow: servletPath is normalized incorrectly leading to dangerous
application mapping which could result in security bypass (CVE-2020-1757)
* keycloak: stored XSS in client settings via application links
(CVE-2020-1697)
* keycloak: problem with privacy after user logout (CVE-2020-1724)
* keycloak: Password leak by logged exception in HttpMethod class
(CVE-2020-1698)
* cxf: OpenId Connect token service does not properly validate the clientId
(CVE-2019-12423)
* Soteria: security identity corruption across concurrent threads
(CVE-2020-1732)
* keycloak: missing input validation in IDP authorization URLs
(CVE-2020-1727)
* keycloak: failedLogin Event not sent to BruteForceProtector when using
Post Login Flow with Conditional-OTP (CVE-2020-1744)
* keycloak: security issue on reset credential flow (CVE-2020-1718)
* keycloak: Lack of checks in ObjectInputStream leading to Remote Code
Execution (CVE-2020-1714)
* RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected
XSS attack (CVE-2020-10688)
* undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
* undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-
continue" header (CVE-2020-10705)
For more details about the security issues and their impact, the CVSS
score, acknowledgements, and other related information, see the CVE pages
listed in the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link for the
update. You must be logged in to download the update.
4. Bugs fixed (https://bugzilla.redhat.com/):
1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading
to Remote Code Execution
1730462 - CVE-2020-1695 resteasy: Improper validation of response header in
MediaTypeHeaderDelegate.java class
1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading
to dangerous application mapping which could result in security bypass
1790292 - CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class
1791538 - CVE-2020-1697 keycloak: stored XSS in client settings via application links
1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after
invoking another EJB using a different Security Domain
1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow
1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly
validate the clientId
1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page
1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout
1800573 - CVE-2020-1727 keycloak: missing input validation in IDP authorization URLs
1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads
1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via
"Expect: 100-continue" header
1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the
con parameter, incomplete fix of CVE-2018-14371
1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector
when using Post Login Flow with Conditional-OTP
1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to
a reflected XSS attack
1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size
5. References:
https://access.redhat.com/security/cve/CVE-2019-12423
https://access.redhat.com/security/cve/CVE-2019-17573
https://access.redhat.com/security/cve/CVE-2020-1695
https://access.redhat.com/security/cve/CVE-2020-1697
https://access.redhat.com/security/cve/CVE-2020-1698
https://access.redhat.com/security/cve/CVE-2020-1714
https://access.redhat.com/security/cve/CVE-2020-1718
https://access.redhat.com/security/cve/CVE-2020-1719
https://access.redhat.com/security/cve/CVE-2020-1724
https://access.redhat.com/security/cve/CVE-2020-1727
https://access.redhat.com/security/cve/CVE-2020-1732
https://access.redhat.com/security/cve/CVE-2020-1744
https://access.redhat.com/security/cve/CVE-2020-1745
https://access.redhat.com/security/cve/CVE-2020-1757
https://access.redhat.com/security/cve/CVE-2020-6950
https://access.redhat.com/security/cve/CVE-2020-10688
https://access.redhat.com/security/cve/CVE-2020-10705
https://access.redhat.com/security/cve/CVE-2020-10719
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=
distributions&product=catRhoar.thorntail&version=2.7.0
https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/
release_notes_for_thorntail_2.7/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXxk2rdzjgjWX9erEAQjSbQ//e0FG83JQFpQV7HUEsjPMB7+tT0UgoTXQ
KnfasEPEP7wnPU07lZiVW94sxhUC/hAhce1KWIR3nT3uesMO4S+7o2vmgOwax1G7
yYsG1SRX4KK5Ma7Qvyx8lM+6TN0MNNrXGvFsqcYF1pJBL/1tfZfb/ciiqjrsR0Tp
v20FKuNrNmn4IPRzN04AZafOG9tXQ8XMqkJaWxh8s4dupvElG4ywmYletwYLYMxS
5X+SVmQ9TtGSgJF6HUGoL0wsTbMtdlJPRrchhbjzAi00ZY5hElVa+MOzdyCFYygv
ev0iz9m0foF1bXfbJTfpzbOnz/f3uJUTKCzz+mLf3voeqbvXnzUNn74MXZQynR8G
LNFVpLo0U/d0wULkSSdFjqer+IxeUWRwcl2km1U42f+0BiCb4K3uHIjhkfAdRFFQ
7K8Nl/2GfJnLywD8693xSKi/6MeCHC2HhrYb9A89lXoebX/3WXkNUC4ReGL80+fg
3z7793xt6QzV9V+WOH8NbQS4SzpAOkusHMew7sQpLxU8r9uaF1KibshjUGq/rZlA
YswTjYHqNLja7kx8GDejpO/RAhMq6asm38YtFzY+Qtipe8xcAxSrTiO6FLN+Xv0M
YlvsaeWblymoLwbQ5ON59VoFFe1YgzIQP0CJEbWbnJl0UHdIldAbv22e4Trnw58t
ZwsJot3fnjU=
=2k8f
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXxpM4ONLKJtyKPYoAQitUw//TMH6hGRlK+8N3UpvkMjuIUouFDc7YJsj
2xeS4Qy1T/VHaMdN/d5NUhb14doku+aDOdnZGhUhPWWoQOjdAkcjyi8rCBH8a4Iq
yRf27fkDx7LJbivcvgDrq+vk7L7Vv76J0i4xFKAM2vLwHoA8UmkITYGL0tyze9B6
f+UiVvVcEtpp7Gta4O3bG2r6t20GbktOygiO/PtLxUyUeTmuL8QTpU6SfQs7Zoh+
JVyZ9igB8kHbUeWGobCpLsGmLBNhDEN8418LDXYVdoZCoCLdHf8rGNwJVTuu9a7m
COWQvjjme+dHXBPS4Ge4/bru9P7QKhqlqW1mfeIdGrcNeJ+7+uCMhW/BSegR3/Zb
m5lLFCBFjVhqxN9zoE9dNv7bynH7pYBgRnexY7rtoTVI9oYSVxo59ElKCFmErnVk
WrUFW8f3KtzGZOzB8oe0IrhtwcdEfOtdpSaAU6WT4sVqh+0EiZg7z5ftM0Zvhc3B
eZwsCO+gpxcE5kNIVvP/kaPkZQ2uKISsL60hgujzV+SQSOp3KzL9Rs3tORrdR9an
hH9oOgyEygJ2Q9aSEV7/pops79SOsQyWM8UCMaolwcGJqMoA3cftcPn1MnwELbkk
FbxfAncY7I/hT9FBDl51vM4XFg1uhQgc+meA9BCPobd4DpLOj6u5aNLEYtTchbEi
mLSt7XUBfCY=
=r4sn
-----END PGP SIGNATURE-----