-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2665
       Red Hat JBoss Web Server 3.1 Service Pack 10 security update
                               5 August 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Web Server 3.1 Service Pack 10
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Red Hat Enterprise Linux Server 7
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
                   Reduced Security  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-13935 CVE-2020-1935 

Reference:         ESB-2020.2543
                   ESB-2020.2525

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:3303
   https://access.redhat.com/errata/RHSA-2020:3305

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 3.1 Service Pack 10 security update
Advisory ID:       RHSA-2020:3303-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3303
Issue date:        2020-08-04
CVE Names:         CVE-2020-1935 CVE-2020-13935 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and
RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Web Server 3.1 for RHEL 6 - noarch
Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch

3. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 10 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: multiple requests with invalid payload length in a WebSocket
frame could lead to DoS (CVE-2020-13935)
* tomcat: Mishandling of Transfer-Encoding header allows for HTTP request
smuggling (CVE-2020-1935)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

6. Package List:

Red Hat JBoss Web Server 3.1 for RHEL 6:

Source:
tomcat7-7.0.70-41.ep7.el6.src.rpm
tomcat8-8.0.36-45.ep7.el6.src.rpm

noarch:
tomcat7-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-admin-webapps-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-docs-webapp-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-el-2.2-api-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-javadoc-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-jsp-2.2-api-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-jsvc-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-lib-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-log4j-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-selinux-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-servlet-3.0-api-7.0.70-41.ep7.el6.noarch.rpm
tomcat7-webapps-7.0.70-41.ep7.el6.noarch.rpm
tomcat8-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-admin-webapps-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-docs-webapp-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-el-2.2-api-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-javadoc-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-jsp-2.3-api-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-jsvc-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-lib-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-log4j-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-selinux-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-servlet-3.1-api-8.0.36-45.ep7.el6.noarch.rpm
tomcat8-webapps-8.0.36-45.ep7.el6.noarch.rpm

Red Hat JBoss Web Server 3.1 for RHEL 7:

Source:
tomcat7-7.0.70-41.ep7.el7.src.rpm
tomcat8-8.0.36-45.ep7.el7.src.rpm

noarch:
tomcat7-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-admin-webapps-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-docs-webapp-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-el-2.2-api-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-javadoc-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-jsp-2.2-api-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-jsvc-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-lib-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-log4j-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-selinux-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-servlet-3.0-api-7.0.70-41.ep7.el7.noarch.rpm
tomcat7-webapps-7.0.70-41.ep7.el7.noarch.rpm
tomcat8-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-admin-webapps-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-docs-webapp-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-el-2.2-api-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-javadoc-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-jsp-2.3-api-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-jsvc-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-lib-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-log4j-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-selinux-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-servlet-3.1-api-8.0.36-45.ep7.el7.noarch.rpm
tomcat8-webapps-8.0.36-45.ep7.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-1935
https://access.redhat.com/security/cve/CVE-2020-13935
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXylDg9zjgjWX9erEAQj06g//ZTPPtFSotn5xsi2mDSvauOoiItVoLgyF
2nFB89pJmDjzOA1nxAki5/MSBW3DPsNCjMq8EVB94jz7vyuxnIopTzBese4tC6QQ
GsNfRmn3visxaREWTUQquov3B7nV7+uI3Mun9u0rxxYAe8D5fy8KU/ZZqnzCKmp+
04cFV18KQdXnPABu9iZPx13Yfk+x0Qf9SQYiOCbQyVuPpFQXYjdJhgFPQeY0GYLO
qTKEac5UEeuMR0KZ2PwisWNwe2n8G+f4tn6uLpr26jrzsEhz/RaZK9UGE6E61ts5
b8I9eF3nmsITMiGxBsVewgiAUFRu32veaxgKYx+D/7uHZuNBBEII2sscA5jAzxnk
bVqVwfivWsxxgctD4LnETGrWay4FzjXuL6yxwg2sfHH1VnxlhL1V1nSrnB6M+/vY
VRchvqGvYHcP9dS3dhenZZTfyilyGxjBGGF1NsyUpuUo9GlgBo0MFfEM7vHp7DET
fjklQj9fSYyWGXqfl+qdvgF9pN9kYJb65GCA4k+zN7GeAteK0dfBlXbsnJ4u9b6X
JIDZVg5iCiAEJ3RUTFIHRTt6LK1RBTllbiHDPauic9Sb68rHNEQoIp2ero6/65vP
IFqnjz+4vOcLVrkTpjWsNWixlTndaiDH1XLdtENz+vxdfnNmZD5VSblNJ/ScViE6
ottW4YHIE0k=
=NNXu
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 3.1 Service Pack 10 security update
Advisory ID:       RHSA-2020:3305-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:3305
Issue date:        2020-08-04
CVE Names:         CVE-2020-1935 CVE-2020-13935 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 6,
RHEL 7 and Windows.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 10 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: multiple requests with invalid payload length in a WebSocket
frame could lead to DoS (CVE-2020-13935)
* tomcat: Mishandling of Transfer-Encoding header allows for HTTP request
smuggling (CVE-2020-1935) 

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link for the
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

5. References:

https://access.redhat.com/security/cve/CVE-2020-1935
https://access.redhat.com/security/cve/CVE-2020-13935
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXylD+tzjgjWX9erEAQguExAAmiLW9+Fi7a5LqIjF8AmZRbT09mQwJVdR
LgOBIuDaRu4PjekSyyHUmQx1PfbapVf9k8nU3gDovIyUTiF5EZuVg9ehKjRQMOqN
dd7/N0XMALqCRISvVgviAencNXkrbW+/W4tLY4IgFCDCkHvwqxfZ51hh30pkwpjb
a7qAIOXXvmpzy5iS/ohtpifRZowxih2VA8fhubuDxJGS1qkKXREjQjw/JubBBMfS
5K0y1HgMP6q2eAVPeEveGnRhLSigsk35VDeuXY4mnUK6DKiJpmV7PKLmEeT+ocU5
kE97DO7aficX4xAzTn9fXlwlObjq+VkQIgeOqJ01zLIp9pok6UbWPacugVEvLaVp
D/iV54ExEphF+OW0dQZd3JvsxUdFHMyDp9bCkwwhuAtNhPfDqDAXjBpjof45AXqm
OobvCWgemWJ4YHXk5RG6vWqR+hmKHOSbaV0MtxZvnZSBqxlRj0D1MemuJPWPQ7MA
O+2k8sw/deQLl/UvYNlFmQBKhuk20v79oPPOs/BiT+gPAPMbD+bUx71llcqXoC0d
Zz40X7rqwaEHk2f87yiU0bF+0A1+NBOan83TwsPWK2BtGruWhikiU1IQuqvanu7V
+nmKgjTNeXVoYApl9yLSgA8Jqcu+5+qmmJU4t1SZ6M42cEcfkGJ4L0VYLWITtXFL
XWCFZYGyMeM=
=yiu8
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXyoOHONLKJtyKPYoAQiB7xAAsyElsQSQY9DVoHftESAxXAiD07yur8Ny
Czz1A2pXXOWc8dDHHaNOrDDPTfuiQ05tWDl8f0mVckDoKB5ZaanbH41aZsDUdY9K
xrWukRBPag5pQcWA1WyEFS/FA3Kefa1GjioY7CdHxQCdDi/7cQqWOHusfmFiPYx3
DL+AOloQMxHGe5CztUU1AqJZ9EfY0pRT4zQCvLy26KBh46KCWDOoABsm6+eMUiBY
xjGYAPLf101s68NzyJFRJDHd3J5ssbGtJKOzR+g/9baAGWM8iM+jKjAiYrhn1BHX
HdZP8caSZPBuUgMRIZc5/WH0Mj+4OuHsTpzBZ72d/Jk5VM629heCiTzUk97IQTc0
4L3nLQHKFKzV95SGSc+rMa1r7FOpgRFyoGY+MnjbpcWRLU9derO11QiHDa2QsCTj
mkUlBy/RWNrw5WUL8uGnOEyxkCSZi33gNAv25Zi+OhBwNk5XDBxx+Co5TYM7XPiQ
nl+KMuJGOFKHTxvX/ReSwGrY0B+kdII9WI2escAjZhFXxGAZmxh8sAjSpXqd0vIR
DXO80Pv1nuP+uOPRQ7n5YSK3RlfZatlC3HWvi7qtxjlDBdTFnm9v+sCx476/7Kse
6w/+I45t8gKzruLoFhca0LfnLYXe/mkC1b24n5I7POfEzqPt5s7U3J1jktB7m8bW
ceSdEbGCNvQ=
=iwBE
-----END PGP SIGNATURE-----