Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2665 Red Hat JBoss Web Server 3.1 Service Pack 10 security update 5 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Web Server 3.1 Service Pack 10 Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-13935 CVE-2020-1935 Reference: ESB-2020.2543 ESB-2020.2525 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:3303 https://access.redhat.com/errata/RHSA-2020:3305 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 10 security update Advisory ID: RHSA-2020:3303-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2020:3303 Issue date: 2020-08-04 CVE Names: CVE-2020-1935 CVE-2020-13935 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 6 - noarch Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 10 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935) * tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling 1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS 6. Package List: Red Hat JBoss Web Server 3.1 for RHEL 6: Source: tomcat7-7.0.70-41.ep7.el6.src.rpm tomcat8-8.0.36-45.ep7.el6.src.rpm noarch: tomcat7-7.0.70-41.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.70-41.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.70-41.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.70-41.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.70-41.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-41.ep7.el6.noarch.rpm tomcat7-jsvc-7.0.70-41.ep7.el6.noarch.rpm tomcat7-lib-7.0.70-41.ep7.el6.noarch.rpm tomcat7-log4j-7.0.70-41.ep7.el6.noarch.rpm tomcat7-selinux-7.0.70-41.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-41.ep7.el6.noarch.rpm tomcat7-webapps-7.0.70-41.ep7.el6.noarch.rpm tomcat8-8.0.36-45.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.36-45.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.36-45.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.36-45.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.36-45.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-45.ep7.el6.noarch.rpm tomcat8-jsvc-8.0.36-45.ep7.el6.noarch.rpm tomcat8-lib-8.0.36-45.ep7.el6.noarch.rpm tomcat8-log4j-8.0.36-45.ep7.el6.noarch.rpm tomcat8-selinux-8.0.36-45.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-45.ep7.el6.noarch.rpm tomcat8-webapps-8.0.36-45.ep7.el6.noarch.rpm Red Hat JBoss Web Server 3.1 for RHEL 7: Source: tomcat7-7.0.70-41.ep7.el7.src.rpm tomcat8-8.0.36-45.ep7.el7.src.rpm noarch: tomcat7-7.0.70-41.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-41.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-41.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-41.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-41.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-41.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-41.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-41.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-41.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-41.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-41.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-41.ep7.el7.noarch.rpm tomcat8-8.0.36-45.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-45.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-45.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-45.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-45.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-45.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-45.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-45.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-45.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-45.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-45.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-45.ep7.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-1935 https://access.redhat.com/security/cve/CVE-2020-13935 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXylDg9zjgjWX9erEAQj06g//ZTPPtFSotn5xsi2mDSvauOoiItVoLgyF 2nFB89pJmDjzOA1nxAki5/MSBW3DPsNCjMq8EVB94jz7vyuxnIopTzBese4tC6QQ GsNfRmn3visxaREWTUQquov3B7nV7+uI3Mun9u0rxxYAe8D5fy8KU/ZZqnzCKmp+ 04cFV18KQdXnPABu9iZPx13Yfk+x0Qf9SQYiOCbQyVuPpFQXYjdJhgFPQeY0GYLO qTKEac5UEeuMR0KZ2PwisWNwe2n8G+f4tn6uLpr26jrzsEhz/RaZK9UGE6E61ts5 b8I9eF3nmsITMiGxBsVewgiAUFRu32veaxgKYx+D/7uHZuNBBEII2sscA5jAzxnk bVqVwfivWsxxgctD4LnETGrWay4FzjXuL6yxwg2sfHH1VnxlhL1V1nSrnB6M+/vY VRchvqGvYHcP9dS3dhenZZTfyilyGxjBGGF1NsyUpuUo9GlgBo0MFfEM7vHp7DET fjklQj9fSYyWGXqfl+qdvgF9pN9kYJb65GCA4k+zN7GeAteK0dfBlXbsnJ4u9b6X JIDZVg5iCiAEJ3RUTFIHRTt6LK1RBTllbiHDPauic9Sb68rHNEQoIp2ero6/65vP IFqnjz+4vOcLVrkTpjWsNWixlTndaiDH1XLdtENz+vxdfnNmZD5VSblNJ/ScViE6 ottW4YHIE0k= =NNXu - -----END PGP SIGNATURE----- - ---------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 10 security update Advisory ID: RHSA-2020:3305-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2020:3305 Issue date: 2020-08-04 CVE Names: CVE-2020-1935 CVE-2020-13935 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 6, RHEL 7 and Windows. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 10 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS (CVE-2020-13935) * tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling 1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS 5. References: https://access.redhat.com/security/cve/CVE-2020-1935 https://access.redhat.com/security/cve/CVE-2020-13935 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1 https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXylD+tzjgjWX9erEAQguExAAmiLW9+Fi7a5LqIjF8AmZRbT09mQwJVdR LgOBIuDaRu4PjekSyyHUmQx1PfbapVf9k8nU3gDovIyUTiF5EZuVg9ehKjRQMOqN dd7/N0XMALqCRISvVgviAencNXkrbW+/W4tLY4IgFCDCkHvwqxfZ51hh30pkwpjb a7qAIOXXvmpzy5iS/ohtpifRZowxih2VA8fhubuDxJGS1qkKXREjQjw/JubBBMfS 5K0y1HgMP6q2eAVPeEveGnRhLSigsk35VDeuXY4mnUK6DKiJpmV7PKLmEeT+ocU5 kE97DO7aficX4xAzTn9fXlwlObjq+VkQIgeOqJ01zLIp9pok6UbWPacugVEvLaVp D/iV54ExEphF+OW0dQZd3JvsxUdFHMyDp9bCkwwhuAtNhPfDqDAXjBpjof45AXqm OobvCWgemWJ4YHXk5RG6vWqR+hmKHOSbaV0MtxZvnZSBqxlRj0D1MemuJPWPQ7MA O+2k8sw/deQLl/UvYNlFmQBKhuk20v79oPPOs/BiT+gPAPMbD+bUx71llcqXoC0d Zz40X7rqwaEHk2f87yiU0bF+0A1+NBOan83TwsPWK2BtGruWhikiU1IQuqvanu7V +nmKgjTNeXVoYApl9yLSgA8Jqcu+5+qmmJU4t1SZ6M42cEcfkGJ4L0VYLWITtXFL XWCFZYGyMeM= =yiu8 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXyoOHONLKJtyKPYoAQiB7xAAsyElsQSQY9DVoHftESAxXAiD07yur8Ny Czz1A2pXXOWc8dDHHaNOrDDPTfuiQ05tWDl8f0mVckDoKB5ZaanbH41aZsDUdY9K xrWukRBPag5pQcWA1WyEFS/FA3Kefa1GjioY7CdHxQCdDi/7cQqWOHusfmFiPYx3 DL+AOloQMxHGe5CztUU1AqJZ9EfY0pRT4zQCvLy26KBh46KCWDOoABsm6+eMUiBY xjGYAPLf101s68NzyJFRJDHd3J5ssbGtJKOzR+g/9baAGWM8iM+jKjAiYrhn1BHX HdZP8caSZPBuUgMRIZc5/WH0Mj+4OuHsTpzBZ72d/Jk5VM629heCiTzUk97IQTc0 4L3nLQHKFKzV95SGSc+rMa1r7FOpgRFyoGY+MnjbpcWRLU9derO11QiHDa2QsCTj mkUlBy/RWNrw5WUL8uGnOEyxkCSZi33gNAv25Zi+OhBwNk5XDBxx+Co5TYM7XPiQ nl+KMuJGOFKHTxvX/ReSwGrY0B+kdII9WI2escAjZhFXxGAZmxh8sAjSpXqd0vIR DXO80Pv1nuP+uOPRQ7n5YSK3RlfZatlC3HWvi7qtxjlDBdTFnm9v+sCx476/7Kse 6w/+I45t8gKzruLoFhca0LfnLYXe/mkC1b24n5I7POfEzqPt5s7U3J1jktB7m8bW ceSdEbGCNvQ= =iwBE -----END PGP SIGNATURE-----