Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2992 EAP Continuous Delivery Technical Preview Release 20 security update 1 September 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: EAP Continuous Delivery Technical Preview Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Read-only Data Access -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-11612 CVE-2020-10740 CVE-2020-10719 CVE-2020-10714 CVE-2020-10705 CVE-2020-10683 CVE-2020-10673 CVE-2020-6950 CVE-2020-1954 CVE-2020-1719 CVE-2019-14900 CVE-2019-10172 CVE-2018-14371 CVE-2016-3720 Reference: ASB-2020.0025 ESB-2020.2895 ESB-2020.2837 ESB-2020.2826 ESB-2020.2619 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:3585 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: EAP Continuous Delivery Technical Preview Release 20 security update Advisory ID: RHSA-2020:3585-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:3585 Issue date: 2020-08-31 CVE Names: CVE-2018-14371 CVE-2019-10172 CVE-2019-14900 CVE-2020-1719 CVE-2020-1954 CVE-2020-6950 CVE-2020-10673 CVE-2020-10683 CVE-2020-10705 CVE-2020-10714 CVE-2020-10719 CVE-2020-10740 CVE-2020-11612 ===================================================================== 1. Summary: This is a security update for JBoss EAP Continuous Delivery 20. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform CD20 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD20 includes bug fixes and enhancements. Security Fix(es): * jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371) * jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) * hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673) * dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683) * undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header (CVE-2020-10705) * wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) * undertow: invalid HTTP request with large chunk size (CVE-2020-10719) * wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) * netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612) * wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) * cxf-core: cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954) * jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. The References section of this erratum contains a download link (you must log in to download the update) 4. Bugs fixed (https://bugzilla.redhat.com/): 1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter 1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM 1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser 1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720 1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain 1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1816216 - CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes 1824301 - CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack 1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans 5. References: https://access.redhat.com/security/cve/CVE-2018-14371 https://access.redhat.com/security/cve/CVE-2019-10172 https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1954 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-10673 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10705 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-11612 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=eap-cd&version=20 https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform_continuous_delivery/20/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX00aHtzjgjWX9erEAQidPQ/+JRRyr01pUKQmnSpDhyf8BAKeJIVGi6Ve fMCvcSiNW4rEO4kstADNWe4/dfOypWz4ISsRQL5VrgVb29+xheHnKDP6IxnEidIG be1xL+0p9vTWV9KUw8Cr171j75lJiKSG6YaFiv0p5yMAMT2WGLCshBTlt0B3+LB5 Cb7jzzg/uu8RZk85tvOwzPqlt5Sb4SHkBp6d+4oBZniKlbQlGyolY14fYHItAovF hO2m3ehSLNz8QkS4BcVJA4B2nuGp/g2SqIBLHNBTdd5QLWbnd5ip7pY/mdLADkvf pH+Iqyjdiei48yPb3+zgNm/3I+oAiYpFpp4OQqlvIvOGz7WY85M3HtpQ9+6KgOZy VGslS/dFqPvF7XeVLUqCApERvtPaPfsJKgTxwKjNnx9LK1KB0TIpo8hxQCKwgitF aIm8F6/bn2wPnmsC69ojW0PKNmG99z80VFF26RbWvW4JPP8u0/GB6cNN+DJv20zu /N8lh229ybi84JLeiP7pzz5aS5xegI/jIcMrlamQBGD1umn8cF49WGiBEYJHYqNn aGW6KYKYsu+tCBXd2F/NM9cTpocBRqZuFPkDam23toVWS3TxUcBEdl+lu1IJcORX CNcuXI46FmKT+5krYOryErlvByHEnw0+AL2JAbpYoQHRWbYflo2tChm/KZuzGxyT Ub4++xlvXVY= =chfE - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX03gFeNLKJtyKPYoAQjlsA//RuzxQMP0lIq0EBsFp95vE1YMZhBr3Yel KPYEuXp2eokUzoezvJ5QfqWfrP4yCe0XafU/w+sVNdQd7s85arolyftNyM2RFaDZ RsIjZspMXBdibfT6TDUClifLndEnzsZIPy7tTk18YXGGZn+KC6KqYwN0+I8ZH93Q ubYeFwtm7PyWx9YWNywNRPkIBwHknWvU1vJXXrR6BY0kqi22QA0c1YhjFKE9vXTK fpLyBcCymOAq6ZMqCDrRsvuIgvcqFQiw79nLooynaxUWDva5VbzK3FNyvT1/GyBM /DC8f9aHzzA+gAqb0T3Bu7yxqH3Num9sp7UDd8pFeXqmVWtNz9ykH3rvyQRbme3B qN167UP0W+BHxcQjD/7yoWXtlIvFUsAw7vfTM96RbCheKuVDcIddS19tD8FR1x9f w6xWYgjakBGpXqfvT31ynUzzceR8EbKS4g6muS1blrZQX/dQsNgbGakqdqIl0Zll luasR3EDDKB0ZXoL9FotFSA7ZF2HknMK+qup1689n+jt77lP3GJ5eUiZvvpN83WP Sob2qV2pljPFGallEEIJn5x1CrnZqET6+14bMyTRpwcK+6M2WRXjkA6YJD2o/4v0 8Jnp3JjLst0F0wFgAY8YSKRUHglGNbrKWnaAKZbx6fXYRL/GDEC+fi0h8JgykWAv PvwEYAlRG0o= =TjQR -----END PGP SIGNATURE-----