Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3507 Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 6 14 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Enterprise Application Platform 7.3.3 Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 8 Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14340 CVE-2020-14338 CVE-2020-14299 CVE-2020-1954 Reference: ESB-2020.3485 ESB-2020.2992 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4244 https://access.redhat.com/errata/RHSA-2020:4245 https://access.redhat.com/errata/RHSA-2020:4246 https://access.redhat.com/errata/RHSA-2020:4247 Comment: This bulletin contains four (4) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 6 Advisory ID: RHSA-2020:4244-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:4244 Issue date: 2020-10-13 CVE Names: CVE-2020-1954 CVE-2020-14299 CVE-2020-14338 CVE-2020-14340 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for RHEL 6 Server - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299) * wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338) * xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340) * cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1824301 - CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack 1848533 - CVE-2020-14299 picketbox: JBoss EAP reload to admin-only mode allows authentication bypass 1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl 1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-19379 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.17 to 5.3.18 JBEAP-19442 - Tracker bug for the EAP 7.3.3 release for RHEL-6 JBEAP-19596 - [GSS](7.3.z) CMTOOL-277 - Migration from EAP 6.4 Update 22 to EAP 7.3 create a misspelled 'Application Realm' JBEAP-19613 - (7.3.z) ELY-1975 - Update AcmeClientSpi#obtainCertificate so that it obtains the order URL from the response to newOrder JBEAP-19615 - (7.3.z) ELY-1968 - Update error message returned by AcmeClientSpi#getLocation JBEAP-19642 - (7.3.z) Upgrade jberet-core from 1.3.5.Final to 1.3.7.Final JBEAP-19695 - [GSS](7.3.z) Upgrade Apache CXF from 3.3.5 to 3.3.7 JBEAP-19698 - [GSS](7.3.z) Upgrade Invocation from 1.5.2.Final-redhat-00001 to 1.5.3.Final... JBEAP-19700 - [GSS](7.3.z) Upgrade Migration Tool from 1.7.1-redhat-00003 to 1.7.2-redhat-00001 JBEAP-19701 - [GSS](7.3.z) Upgrade jgroups from 4.1.4.Final-redhat-00001 to 4.1.10.Final-redhat-00001 JBEAP-19715 - [GSS](7.3.z) Upgrade Artemis Native to 1.0.2 JBEAP-19746 - [GSS](7.3.z) Upgrade JBoss Log Manager from 2.1.15 to 2.1.17 JBEAP-19789 - [GSS](7.3.z) Upgrade Narayana from 5.9.8.Final to 5.9.9.Final JBEAP-19791 - [GSS](7.3.z) Upgrade HAL from 3.2.9.Final-redhat-00001 to 3.2.10.Final-redhat-00001 JBEAP-19795 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP11-redhat-00001 to 2.3.9.SP12-redhat-00001 JBEAP-19796 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00010 to 2.9.0.redhat-00011 JBEAP-19822 - (7.3.z) Upgrade MP fault-tolerance to 2.1.1 JBEAP-19888 - (7.3.z) Upgrade SmallRye OpenAPI to 1.1.23 JBEAP-19934 - (7.3.z) Upgrade bouncycastle to 1.65 JBEAP-19935 - (7.3.z) Upgrade commons-codec to 1.14 JBEAP-19936 - (7.3.z) Upgrade commons-lang3 from 3.9 to 3.10 JBEAP-19937 - (7.3.z) Upgrade snakeyaml to 1.26 JBEAP-19938 - (7.3.z) Upgrade velocity to 2.2 JBEAP-19939 - (7.3.z) Upgrade httpcomponents httpclient from 4.5.4 to 4.5.12 JBEAP-19940 - (7.3.z) Upgrade httpcomponents httpcore from 4.4.5 to 4.4.13 JBEAP-19942 - (7.3.z) Upgrade XNIO from 3.7.8.SP1 to 3.7.9.Final JBEAP-19955 - (7.3.z) Update xmlschema to 2.2.5 JBEAP-19965 - (7.3.z) Fix PreservePathTestCase after httpclient upgrade JBEAP-20027 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00012 to 2.5.5.SP12-redhat-00013 JBEAP-20037 - [GSS](7.3.z) Upgrade wildfly-transaction-client from 1.1.11.Final-redhat-00001 to 1.1.13.Final-redhat-00001 JBEAP-20064 - (7.3.z) Update PR template to include PR-processor hints for wildfly-core-eap JBEAP-20087 - [GSS](7.3.z) WFLY-13147 - Deployment slowdown after WFLY upgrade (DeploymentArchive handling) JBEAP-20112 - (7.3.z) Upgrade smallrye-fault-tolerance to 4.2.1 7. Package List: Red Hat JBoss EAP 7.3 for RHEL 6 Server: Source: eap7-activemq-artemis-2.9.0-5.redhat_00011.1.el6eap.src.rpm eap7-activemq-artemis-native-1.0.2-1.redhat_00001.1.el6eap.src.rpm eap7-apache-commons-codec-1.14.0-1.redhat_00001.1.el6eap.src.rpm eap7-apache-commons-lang-3.10.0-1.redhat_00001.1.el6eap.src.rpm eap7-apache-cxf-3.3.7-1.redhat_00001.1.el6eap.src.rpm eap7-artemis-native-1.0.2-3.redhat_1.el6eap.src.rpm eap7-bouncycastle-1.65.0-1.redhat_00001.1.el6eap.src.rpm eap7-glassfish-jsf-2.3.9-11.SP12_redhat_00001.1.el6eap.src.rpm eap7-hal-console-3.2.10-1.Final_redhat_00001.1.el6eap.src.rpm eap7-hibernate-5.3.18-1.Final_redhat_00001.1.el6eap.src.rpm eap7-httpcomponents-client-4.5.12-1.redhat_00001.1.el6eap.src.rpm eap7-httpcomponents-core-4.4.13-1.redhat_00001.1.el6eap.src.rpm eap7-jberet-1.3.7-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-invocation-1.5.3-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-logmanager-2.1.17-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-server-migration-1.7.2-2.Final_redhat_00002.1.el6eap.src.rpm eap7-jboss-xnio-base-3.7.9-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jgroups-4.1.10-1.Final_redhat_00001.1.el6eap.src.rpm eap7-narayana-5.9.9-1.Final_redhat_00001.1.el6eap.src.rpm eap7-picketbox-5.0.3-8.Final_redhat_00007.1.el6eap.src.rpm eap7-picketlink-bindings-2.5.5-25.SP12_redhat_00013.1.el6eap.src.rpm eap7-snakeyaml-1.26.0-1.redhat_00001.1.el6eap.src.rpm eap7-undertow-2.0.31-1.SP1_redhat_00001.1.el6eap.src.rpm eap7-velocity-2.2.0-1.redhat_00001.1.el6eap.src.rpm eap7-wildfly-7.3.3-4.GA_redhat_00004.1.el6eap.src.rpm eap7-wildfly-elytron-1.10.8-1.Final_redhat_00001.1.el6eap.src.rpm eap7-wildfly-transaction-client-1.1.13-1.Final_redhat_00001.1.el6eap.src.rpm eap7-ws-commons-XmlSchema-2.2.5-1.redhat_00001.1.el6eap.src.rpm eap7-xerces-j2-2.12.0-2.SP03_redhat_00001.1.el6eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-native-1.0.2-1.redhat_00001.1.el6eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-5.redhat_00011.1.el6eap.noarch.rpm eap7-apache-commons-codec-1.14.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-apache-commons-lang-3.10.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-apache-cxf-3.3.7-1.redhat_00001.1.el6eap.noarch.rpm eap7-apache-cxf-rt-3.3.7-1.redhat_00001.1.el6eap.noarch.rpm eap7-apache-cxf-services-3.3.7-1.redhat_00001.1.el6eap.noarch.rpm eap7-apache-cxf-tools-3.3.7-1.redhat_00001.1.el6eap.noarch.rpm eap7-bouncycastle-1.65.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-bouncycastle-mail-1.65.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-bouncycastle-pkix-1.65.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-bouncycastle-prov-1.65.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-glassfish-jsf-2.3.9-11.SP12_redhat_00001.1.el6eap.noarch.rpm eap7-hal-console-3.2.10-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-5.3.18-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-core-5.3.18-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-entitymanager-5.3.18-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-envers-5.3.18-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-java8-5.3.18-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-httpcomponents-client-4.5.12-1.redhat_00001.1.el6eap.noarch.rpm eap7-httpcomponents-core-4.4.13-1.redhat_00001.1.el6eap.noarch.rpm eap7-jberet-1.3.7-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jberet-core-1.3.7-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-invocation-1.5.3-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-logmanager-2.1.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-server-migration-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-2.Final_redhat_00002.1.el6eap.noarch.rpm eap7-jboss-xnio-base-3.7.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jgroups-4.1.10-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-compensations-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jbossxts-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jts-idlj-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jts-integration-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-api-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-bridge-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-integration-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-util-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-txframework-5.9.9-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-picketbox-5.0.3-8.Final_redhat_00007.1.el6eap.noarch.rpm eap7-picketbox-infinispan-5.0.3-8.Final_redhat_00007.1.el6eap.noarch.rpm eap7-picketlink-bindings-2.5.5-25.SP12_redhat_00013.1.el6eap.noarch.rpm eap7-picketlink-wildfly8-2.5.5-25.SP12_redhat_00013.1.el6eap.noarch.rpm eap7-snakeyaml-1.26.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-undertow-2.0.31-1.SP1_redhat_00001.1.el6eap.noarch.rpm eap7-velocity-2.2.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-velocity-engine-core-2.2.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-7.3.3-4.GA_redhat_00004.1.el6eap.noarch.rpm eap7-wildfly-elytron-1.10.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-javadocs-7.3.3-4.GA_redhat_00004.1.el6eap.noarch.rpm eap7-wildfly-modules-7.3.3-4.GA_redhat_00004.1.el6eap.noarch.rpm eap7-wildfly-transaction-client-1.1.13-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ws-commons-XmlSchema-2.2.5-1.redhat_00001.1.el6eap.noarch.rpm eap7-xerces-j2-2.12.0-2.SP03_redhat_00001.1.el6eap.noarch.rpm x86_64: eap7-artemis-native-1.0.2-3.redhat_1.el6eap.x86_64.rpm eap7-artemis-native-wildfly-1.0.2-3.redhat_1.el6eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-1954 https://access.redhat.com/security/cve/CVE-2020-14299 https://access.redhat.com/security/cve/CVE-2020-14338 https://access.redhat.com/security/cve/CVE-2020-14340 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX4Xdt9zjgjWX9erEAQgCFA//XsPWT3jQa6pgYZFPPy9W9uUBjyGCewoJ UTbuaq0SfTwlLL+cpIOKF9NTsx5de8lIGQKshIVeD9TQ508VTbc9BqpCaHK8dv5P cpwKH1qtWbv7LtdPWT+93RPkKSAiUHbCe8btisT847+w80Je61XU3MEfMwKrVXoL YSTpO8ypF9hKEL6QUwiEwt6wU5MXzneUEyB4TUeAlM3ChDjDx9Qs67nVDcZZ31KM ADDlwDCkcb4Stco8OFufhnOrM7rlu4IgSoEB/JAKNpOaZQb47iJ7BDZKr+9Uc8DC i4Q9MIK7V3R/oGaCzJN/WwjOxOah2b+pP2eYo/A6VNetyIJdO/W9P72cPblIPSUG lsFAWyKbfvQA+uDkvhq6jW/+H+9E0T8rosMJBkjljOZ9QVCfmZAmWj7pY/6UW6wt zIU4mvcq3Vz2yzN9uWybYNMSUqP2Ohk6imyz8R+25AXMPdvAmpZL5Hv+I50NRfGH q4S/z2vvvxsgQrvHLAlBDcYF9i4Il7n6Cc8GNoGIfpU5rk3mBtfI1j3lxOvBUL1H N+8MRzUVvTvGd3qfHURMPfUNC+fQVuP4dE9Y/7oJGLbRxJ/3Mcoyya+NjHGH9tef toASyYIoKTy7+8w5A4m42S9mScBRJnTtBo7kP39trelV/K8vGm6cpRL7PKPkJEgn 63XxuQ1FhbM= =eJOZ - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 8 Advisory ID: RHSA-2020:4245-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:4245 Issue date: 2020-10-13 CVE Names: CVE-2020-1954 CVE-2020-14299 CVE-2020-14338 CVE-2020-14340 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299) * wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338) * xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340) * cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1824301 - CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack 1848533 - CVE-2020-14299 picketbox: JBoss EAP reload to admin-only mode allows authentication bypass 1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl 1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-19379 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.17 to 5.3.18 JBEAP-19444 - Tracker bug for the EAP 7.3.3 release for RHEL-8 JBEAP-19596 - [GSS](7.3.z) CMTOOL-277 - Migration from EAP 6.4 Update 22 to EAP 7.3 create a misspelled 'Application Realm' JBEAP-19613 - (7.3.z) ELY-1975 - Update AcmeClientSpi#obtainCertificate so that it obtains the order URL from the response to newOrder JBEAP-19615 - (7.3.z) ELY-1968 - Update error message returned by AcmeClientSpi#getLocation JBEAP-19642 - (7.3.z) Upgrade jberet-core from 1.3.5.Final to 1.3.7.Final JBEAP-19695 - [GSS](7.3.z) Upgrade Apache CXF from 3.3.5 to 3.3.7 JBEAP-19698 - [GSS](7.3.z) Upgrade Invocation from 1.5.2.Final-redhat-00001 to 1.5.3.Final... JBEAP-19700 - [GSS](7.3.z) Upgrade Migration Tool from 1.7.1-redhat-00003 to 1.7.2-redhat-00001 JBEAP-19701 - [GSS](7.3.z) Upgrade jgroups from 4.1.4.Final-redhat-00001 to 4.1.10.Final-redhat-00001 JBEAP-19715 - [GSS](7.3.z) Upgrade Artemis Native to 1.0.2 JBEAP-19746 - [GSS](7.3.z) Upgrade JBoss Log Manager from 2.1.15 to 2.1.17 JBEAP-19789 - [GSS](7.3.z) Upgrade Narayana from 5.9.8.Final to 5.9.9.Final JBEAP-19791 - [GSS](7.3.z) Upgrade HAL from 3.2.9.Final-redhat-00001 to 3.2.10.Final-redhat-00001 JBEAP-19795 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP11-redhat-00001 to 2.3.9.SP12-redhat-00001 JBEAP-19796 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00010 to 2.9.0.redhat-00011 JBEAP-19822 - (7.3.z) Upgrade MP fault-tolerance to 2.1.1 JBEAP-19888 - (7.3.z) Upgrade SmallRye OpenAPI to 1.1.23 JBEAP-19934 - (7.3.z) Upgrade bouncycastle to 1.65 JBEAP-19935 - (7.3.z) Upgrade commons-codec to 1.14 JBEAP-19936 - (7.3.z) Upgrade commons-lang3 from 3.9 to 3.10 JBEAP-19937 - (7.3.z) Upgrade snakeyaml to 1.26 JBEAP-19938 - (7.3.z) Upgrade velocity to 2.2 JBEAP-19939 - (7.3.z) Upgrade httpcomponents httpclient from 4.5.4 to 4.5.12 JBEAP-19940 - (7.3.z) Upgrade httpcomponents httpcore from 4.4.5 to 4.4.13 JBEAP-19942 - (7.3.z) Upgrade XNIO from 3.7.8.SP1 to 3.7.9.Final JBEAP-19955 - (7.3.z) Update xmlschema to 2.2.5 JBEAP-19965 - (7.3.z) Fix PreservePathTestCase after httpclient upgrade JBEAP-20027 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00012 to 2.5.5.SP12-redhat-00013 JBEAP-20037 - [GSS](7.3.z) Upgrade wildfly-transaction-client from 1.1.11.Final-redhat-00001 to 1.1.13.Final-redhat-00001 JBEAP-20064 - (7.3.z) Update PR template to include PR-processor hints for wildfly-core-eap JBEAP-20087 - [GSS](7.3.z) WFLY-13147 - Deployment slowdown after WFLY upgrade (DeploymentArchive handling) JBEAP-20112 - (7.3.z) Upgrade smallrye-fault-tolerance to 4.2.1 7. Package List: Red Hat JBoss EAP 7.3 for BaseOS-8: Source: eap7-activemq-artemis-2.9.0-5.redhat_00011.1.el8eap.src.rpm eap7-activemq-artemis-native-1.0.2-1.redhat_00001.1.el8eap.src.rpm eap7-apache-commons-codec-1.14.0-1.redhat_00001.1.el8eap.src.rpm eap7-apache-commons-lang-3.10.0-1.redhat_00001.1.el8eap.src.rpm eap7-apache-cxf-3.3.7-1.redhat_00001.1.el8eap.src.rpm eap7-artemis-native-1.0.2-3.redhat_1.el8eap.src.rpm eap7-bouncycastle-1.65.0-1.redhat_00001.1.el8eap.src.rpm eap7-glassfish-jsf-2.3.9-11.SP12_redhat_00001.1.el8eap.src.rpm eap7-hal-console-3.2.10-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.18-1.Final_redhat_00001.1.el8eap.src.rpm eap7-httpcomponents-client-4.5.12-1.redhat_00001.1.el8eap.src.rpm eap7-httpcomponents-core-4.4.13-1.redhat_00001.1.el8eap.src.rpm eap7-jberet-1.3.7-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-invocation-1.5.3-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-logmanager-2.1.17-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.7.2-2.Final_redhat_00002.1.el8eap.src.rpm eap7-jboss-xnio-base-3.7.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jgroups-4.1.10-1.Final_redhat_00001.1.el8eap.src.rpm eap7-narayana-5.9.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-picketbox-5.0.3-8.Final_redhat_00007.1.el8eap.src.rpm eap7-picketlink-bindings-2.5.5-25.SP12_redhat_00013.1.el8eap.src.rpm eap7-snakeyaml-1.26.0-1.redhat_00001.1.el8eap.src.rpm eap7-undertow-2.0.31-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-velocity-2.2.0-1.redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.3.3-4.GA_redhat_00004.1.el8eap.src.rpm eap7-wildfly-elytron-1.10.8-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-transaction-client-1.1.13-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ws-commons-XmlSchema-2.2.5-1.redhat_00001.1.el8eap.src.rpm eap7-xerces-j2-2.12.0-2.SP03_redhat_00001.1.el8eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-native-1.0.2-1.redhat_00001.1.el8eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-5.redhat_00011.1.el8eap.noarch.rpm eap7-apache-commons-codec-1.14.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-commons-lang-3.10.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-cxf-3.3.7-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-cxf-rt-3.3.7-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-cxf-services-3.3.7-1.redhat_00001.1.el8eap.noarch.rpm eap7-apache-cxf-tools-3.3.7-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-1.65.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-mail-1.65.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-pkix-1.65.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-prov-1.65.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-glassfish-jsf-2.3.9-11.SP12_redhat_00001.1.el8eap.noarch.rpm eap7-hal-console-3.2.10-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.18-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.18-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.18-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.18-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.18-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-httpcomponents-client-4.5.12-1.redhat_00001.1.el8eap.noarch.rpm eap7-httpcomponents-core-4.4.13-1.redhat_00001.1.el8eap.noarch.rpm eap7-jberet-1.3.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jberet-core-1.3.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-invocation-1.5.3-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-logmanager-2.1.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-2.Final_redhat_00002.1.el8eap.noarch.rpm eap7-jboss-xnio-base-3.7.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jgroups-4.1.10-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-compensations-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbossxts-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-idlj-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-integration-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-api-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-bridge-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-integration-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-util-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-txframework-5.9.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-picketbox-5.0.3-8.Final_redhat_00007.1.el8eap.noarch.rpm eap7-picketbox-infinispan-5.0.3-8.Final_redhat_00007.1.el8eap.noarch.rpm eap7-picketlink-bindings-2.5.5-25.SP12_redhat_00013.1.el8eap.noarch.rpm eap7-picketlink-wildfly8-2.5.5-25.SP12_redhat_00013.1.el8eap.noarch.rpm eap7-snakeyaml-1.26.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-undertow-2.0.31-1.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-velocity-2.2.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-velocity-engine-core-2.2.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.3.3-4.GA_redhat_00004.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.10.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.8-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.3.3-4.GA_redhat_00004.1.el8eap.noarch.rpm eap7-wildfly-modules-7.3.3-4.GA_redhat_00004.1.el8eap.noarch.rpm eap7-wildfly-transaction-client-1.1.13-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ws-commons-XmlSchema-2.2.5-1.redhat_00001.1.el8eap.noarch.rpm eap7-xerces-j2-2.12.0-2.SP03_redhat_00001.1.el8eap.noarch.rpm x86_64: eap7-artemis-native-1.0.2-3.redhat_1.el8eap.x86_64.rpm eap7-artemis-native-wildfly-1.0.2-3.redhat_1.el8eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-1954 https://access.redhat.com/security/cve/CVE-2020-14299 https://access.redhat.com/security/cve/CVE-2020-14338 https://access.redhat.com/security/cve/CVE-2020-14340 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX4XdnNzjgjWX9erEAQiXuw//R4g+s6n+rk7hCp48kUecgr/5ci5EP6UM 7BsPN7sPZcLyYiZZsP+/6hHbB/dkfUyL8zJMQBQHHcwjhFkI9diYjraI2/K2BTo8 Fb/JEJoCmDs88/LUUpMebq7SSulBWhtfKYwCCOGy6pCpRAka99nzFXGr1y4H1ozJ berY8tq9PVJLJyuKGyoK+06fENIV2b/Oir68lSGrTMJVQeqb9TclI1pRIZ/8iZNh OQOnXk85y81YrQTlynAlBnlMCtSNEFMBUi5b25Q30ZNxMaegYyezvlgs790hLZQA UUfjAdFsk341kK0uop93y9MnDT1qUiYNG1rJ5DBB0jzyq7zQk2GxwBYg3mhItMhi FBZ6oeePwEEq4Bxpd1vERDQQW+zCpd0jLJ4nvU1wFIQZK7eSBk6Lz4ws2XUHmuru yXCcJZWqkXzQwhYMSq3y1fVcTAl6HcWxoBuX1TU9AmZWKcUlHN9Lo6BF4fMEhXH/ UrQNC+mOnCAjJrD1sGyPlozMnZnu96fVMURTDdz4J9aN1JU1t0fb2MgD3X3VZWto ducjlQPeNTI1+elmaBxAS8A7a+UaN63QgjeCQfzjEky89Jvfv/Ra6i5R5x8LrrQf zMn1XyxOAefzehiV8SR801W8dE7D7RlF5y/TH0ciA/CIzUSNAbb4tDlGcSDPig+a PGc+57G5XO4= =OgA5 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update on RHEL 7 Advisory ID: RHSA-2020:4246-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:4246 Issue date: 2020-10-13 CVE Names: CVE-2020-1954 CVE-2020-14299 CVE-2020-14338 CVE-2020-14340 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for RHEL 7 Server - noarch, x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299) * wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338) * xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340) * cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1824301 - CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack 1848533 - CVE-2020-14299 picketbox: JBoss EAP reload to admin-only mode allows authentication bypass 1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl 1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-19379 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.17 to 5.3.18 JBEAP-19442 - Tracker bug for the EAP 7.3.3 release for RHEL-6 JBEAP-19443 - Tracker bug for the EAP 7.3.3 release for RHEL-7 JBEAP-19596 - [GSS](7.3.z) CMTOOL-277 - Migration from EAP 6.4 Update 22 to EAP 7.3 create a misspelled 'Application Realm' JBEAP-19613 - (7.3.z) ELY-1975 - Update AcmeClientSpi#obtainCertificate so that it obtains the order URL from the response to newOrder JBEAP-19615 - (7.3.z) ELY-1968 - Update error message returned by AcmeClientSpi#getLocation JBEAP-19642 - (7.3.z) Upgrade jberet-core from 1.3.5.Final to 1.3.7.Final JBEAP-19695 - [GSS](7.3.z) Upgrade Apache CXF from 3.3.5 to 3.3.7 JBEAP-19698 - [GSS](7.3.z) Upgrade Invocation from 1.5.2.Final-redhat-00001 to 1.5.3.Final... JBEAP-19700 - [GSS](7.3.z) Upgrade Migration Tool from 1.7.1-redhat-00003 to 1.7.2-redhat-00001 JBEAP-19701 - [GSS](7.3.z) Upgrade jgroups from 4.1.4.Final-redhat-00001 to 4.1.10.Final-redhat-00001 JBEAP-19715 - [GSS](7.3.z) Upgrade Artemis Native to 1.0.2 JBEAP-19746 - [GSS](7.3.z) Upgrade JBoss Log Manager from 2.1.15 to 2.1.17 JBEAP-19789 - [GSS](7.3.z) Upgrade Narayana from 5.9.8.Final to 5.9.9.Final JBEAP-19791 - [GSS](7.3.z) Upgrade HAL from 3.2.9.Final-redhat-00001 to 3.2.10.Final-redhat-00001 JBEAP-19795 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP11-redhat-00001 to 2.3.9.SP12-redhat-00001 JBEAP-19796 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00010 to 2.9.0.redhat-00011 JBEAP-19822 - (7.3.z) Upgrade MP fault-tolerance to 2.1.1 JBEAP-19888 - (7.3.z) Upgrade SmallRye OpenAPI to 1.1.23 JBEAP-19934 - (7.3.z) Upgrade bouncycastle to 1.65 JBEAP-19935 - (7.3.z) Upgrade commons-codec to 1.14 JBEAP-19936 - (7.3.z) Upgrade commons-lang3 from 3.9 to 3.10 JBEAP-19937 - (7.3.z) Upgrade snakeyaml to 1.26 JBEAP-19938 - (7.3.z) Upgrade velocity to 2.2 JBEAP-19939 - (7.3.z) Upgrade httpcomponents httpclient from 4.5.4 to 4.5.12 JBEAP-19940 - (7.3.z) Upgrade httpcomponents httpcore from 4.4.5 to 4.4.13 JBEAP-19942 - (7.3.z) Upgrade XNIO from 3.7.8.SP1 to 3.7.9.Final JBEAP-19955 - (7.3.z) Update xmlschema to 2.2.5 JBEAP-19965 - (7.3.z) Fix PreservePathTestCase after httpclient upgrade JBEAP-20027 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00012 to 2.5.5.SP12-redhat-00013 JBEAP-20037 - [GSS](7.3.z) Upgrade wildfly-transaction-client from 1.1.11.Final-redhat-00001 to 1.1.13.Final-redhat-00001 JBEAP-20064 - (7.3.z) Update PR template to include PR-processor hints for wildfly-core-eap JBEAP-20087 - [GSS](7.3.z) WFLY-13147 - Deployment slowdown after WFLY upgrade (DeploymentArchive handling) JBEAP-20112 - (7.3.z) Upgrade smallrye-fault-tolerance to 4.2.1 7. Package List: Red Hat JBoss EAP 7.3 for RHEL 7 Server: Source: eap7-activemq-artemis-2.9.0-5.redhat_00011.1.el7eap.src.rpm eap7-activemq-artemis-native-1.0.2-1.redhat_00001.1.el7eap.src.rpm eap7-apache-commons-codec-1.14.0-1.redhat_00001.1.el7eap.src.rpm eap7-apache-commons-lang-3.10.0-1.redhat_00001.1.el7eap.src.rpm eap7-apache-cxf-3.3.7-1.redhat_00001.1.el7eap.src.rpm eap7-artemis-native-1.0.2-3.redhat_1.el7eap.src.rpm eap7-bouncycastle-1.65.0-1.redhat_00001.1.el7eap.src.rpm eap7-glassfish-jsf-2.3.9-11.SP12_redhat_00001.1.el7eap.src.rpm eap7-hal-console-3.2.10-1.Final_redhat_00001.1.el7eap.src.rpm eap7-hibernate-5.3.18-1.Final_redhat_00001.1.el7eap.src.rpm eap7-httpcomponents-client-4.5.12-1.redhat_00001.1.el7eap.src.rpm eap7-httpcomponents-core-4.4.13-1.redhat_00001.1.el7eap.src.rpm eap7-jberet-1.3.7-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-invocation-1.5.3-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-logmanager-2.1.17-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.7.2-2.Final_redhat_00002.1.el7eap.src.rpm eap7-jboss-xnio-base-3.7.9-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jgroups-4.1.10-1.Final_redhat_00001.1.el7eap.src.rpm eap7-narayana-5.9.9-1.Final_redhat_00001.1.el7eap.src.rpm eap7-picketbox-5.0.3-8.Final_redhat_00007.1.el7eap.src.rpm eap7-picketlink-bindings-2.5.5-25.SP12_redhat_00013.1.el7eap.src.rpm eap7-snakeyaml-1.26.0-1.redhat_00001.1.el7eap.src.rpm eap7-undertow-2.0.31-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-velocity-2.2.0-1.redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.3.3-4.GA_redhat_00004.1.el7eap.src.rpm eap7-wildfly-elytron-1.10.8-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-transaction-client-1.1.13-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ws-commons-XmlSchema-2.2.5-1.redhat_00001.1.el7eap.src.rpm eap7-xerces-j2-2.12.0-2.SP03_redhat_00001.1.el7eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-native-1.0.2-1.redhat_00001.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-5.redhat_00011.1.el7eap.noarch.rpm eap7-apache-commons-codec-1.14.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-commons-lang-3.10.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-3.3.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-rt-3.3.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-services-3.3.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-tools-3.3.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-1.65.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-mail-1.65.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-pkix-1.65.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-prov-1.65.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-glassfish-jsf-2.3.9-11.SP12_redhat_00001.1.el7eap.noarch.rpm eap7-hal-console-3.2.10-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-5.3.18-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-core-5.3.18-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-entitymanager-5.3.18-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-envers-5.3.18-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-java8-5.3.18-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-httpcomponents-client-4.5.12-1.redhat_00001.1.el7eap.noarch.rpm eap7-httpcomponents-core-4.4.13-1.redhat_00001.1.el7eap.noarch.rpm eap7-jberet-1.3.7-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jberet-core-1.3.7-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-invocation-1.5.3-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-logmanager-2.1.17-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-xnio-base-3.7.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jgroups-4.1.10-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-compensations-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbossxts-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-idlj-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-integration-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-api-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-bridge-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-integration-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-util-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-txframework-5.9.9-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-picketbox-5.0.3-8.Final_redhat_00007.1.el7eap.noarch.rpm eap7-picketbox-infinispan-5.0.3-8.Final_redhat_00007.1.el7eap.noarch.rpm eap7-picketlink-bindings-2.5.5-25.SP12_redhat_00013.1.el7eap.noarch.rpm eap7-picketlink-wildfly8-2.5.5-25.SP12_redhat_00013.1.el7eap.noarch.rpm eap7-snakeyaml-1.26.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-undertow-2.0.31-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-velocity-2.2.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-velocity-engine-core-2.2.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.3.3-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.10.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.8-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.3.3-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.3.3-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.3.3-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-modules-7.3.3-4.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-transaction-client-1.1.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ws-commons-XmlSchema-2.2.5-1.redhat_00001.1.el7eap.noarch.rpm eap7-xerces-j2-2.12.0-2.SP03_redhat_00001.1.el7eap.noarch.rpm x86_64: eap7-artemis-native-1.0.2-3.redhat_1.el7eap.x86_64.rpm eap7-artemis-native-wildfly-1.0.2-3.redhat_1.el7eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-1954 https://access.redhat.com/security/cve/CVE-2020-14299 https://access.redhat.com/security/cve/CVE-2020-14338 https://access.redhat.com/security/cve/CVE-2020-14340 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX4Xd8tzjgjWX9erEAQjbnQ/7BG3bisy5nFXlNkpdAEIUm8UyCOuzD3p5 dNYgUH2CJDCuppjU/BajVnan/WHkhn2Dr9BH/z9WIbH58jMMf57o4oxep8zbsfWZ NDluATafMezBpAcQFMfdpvG8KDAGxr7OYzhbMCUZHXybEH8yC7kY1ArhtPOiVRTx UHgj27Os/jiPKaoTCi6Z0u+3D6d9puCaHOQ1nC6DER3i/FMwlqjALVy98rhCnzE+ iMnctgszIN6fvoPrAqvYMZraMp6B5Tpw66ouiAWaa0BsXSk7S8YRZofHwzIeyllv Vm6Zaf3a2v34Ax6ALJNSlsAbuaH7YWBQWxuaAqFPbBu9vP70SG8fuIcXr8xVCxe6 2ehcpL3bJu/SvBUpnQwg73+X4T/yXjDHTJXD2rhsQ0F1lA/tzoFJlicdfjFH1jzC DBxBR8GQmP0XgfRKzLmXEXsQzcK0D61ZqO8ijnzhN8PlHev44DgS3jjiceIqToho 4PqABfEu2YyAzAQn7iwKoTalM6GysBDmTaLWjCzDEwfdXqpWP9mL4jNoaV6aLXT9 WhrIOaOVXsE9ayrlWG94o42XixKp+MjJLJlD8xTRhb+RdYjgCrJR9WEmtg8TnRhx iachqwYT/Bj4+h7MiMPPmU4XOn4XavqBQ7C1oQ56Jm5TbeICNbKUGtdh0/amw4Lw 3ddm86p13bE= =znre - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.3 security update Advisory ID: RHSA-2020:4247-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:4247 Issue date: 2020-10-13 CVE Names: CVE-2020-1954 CVE-2020-14299 CVE-2020-14338 CVE-2020-14340 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.3 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.2 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.3 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299) * wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338) * xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340) * cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1824301 - CVE-2020-1954 cxf: JMX integration is vulnerable to a MITM attack 1848533 - CVE-2020-14299 picketbox: JBoss EAP reload to admin-only mode allows authentication bypass 1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl 1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS 5. JIRA issues fixed (https://issues.jboss.org/): JBEAP-19379 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.17 to 5.3.18 JBEAP-19596 - [GSS](7.3.z) CMTOOL-277 - Migration from EAP 6.4 Update 22 to EAP 7.3 create a misspelled 'Application Realm' JBEAP-19613 - (7.3.z) ELY-1975 - Update AcmeClientSpi#obtainCertificate so that it obtains the order URL from the response to newOrder JBEAP-19615 - (7.3.z) ELY-1968 - Update error message returned by AcmeClientSpi#getLocation JBEAP-19642 - (7.3.z) Upgrade jberet-core from 1.3.5.Final to 1.3.7.Final JBEAP-19695 - [GSS](7.3.z) Upgrade Apache CXF from 3.3.5 to 3.3.7 JBEAP-19698 - [GSS](7.3.z) Upgrade Invocation from 1.5.2.Final-redhat-00001 to 1.5.3.Final... JBEAP-19700 - [GSS](7.3.z) Upgrade Migration Tool from 1.7.1-redhat-00003 to 1.7.2-redhat-00001 JBEAP-19701 - [GSS](7.3.z) Upgrade jgroups from 4.1.4.Final-redhat-00001 to 4.1.10.Final-redhat-00001 JBEAP-19715 - [GSS](7.3.z) Upgrade Artemis Native to 1.0.2 JBEAP-19746 - [GSS](7.3.z) Upgrade JBoss Log Manager from 2.1.15 to 2.1.17 JBEAP-19789 - [GSS](7.3.z) Upgrade Narayana from 5.9.8.Final to 5.9.9.Final JBEAP-19791 - [GSS](7.3.z) Upgrade HAL from 3.2.9.Final-redhat-00001 to 3.2.10.Final-redhat-00001 JBEAP-19795 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP11-redhat-00001 to 2.3.9.SP12-redhat-00001 JBEAP-19796 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00010 to 2.9.0.redhat-00011 JBEAP-19822 - (7.3.z) Upgrade MP fault-tolerance to 2.1.1 JBEAP-19888 - (7.3.z) Upgrade SmallRye OpenAPI to 1.1.23 JBEAP-19934 - (7.3.z) Upgrade bouncycastle to 1.65 JBEAP-19935 - (7.3.z) Upgrade commons-codec to 1.14 JBEAP-19936 - (7.3.z) Upgrade commons-lang3 from 3.9 to 3.10 JBEAP-19937 - (7.3.z) Upgrade snakeyaml to 1.26 JBEAP-19938 - (7.3.z) Upgrade velocity to 2.2 JBEAP-19939 - (7.3.z) Upgrade httpcomponents httpclient from 4.5.4 to 4.5.12 JBEAP-19940 - (7.3.z) Upgrade httpcomponents httpcore from 4.4.5 to 4.4.13 JBEAP-19942 - (7.3.z) Upgrade XNIO from 3.7.8.SP1 to 3.7.9.Final JBEAP-19955 - (7.3.z) Update xmlschema to 2.2.5 JBEAP-19965 - (7.3.z) Fix PreservePathTestCase after httpclient upgrade JBEAP-20027 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00012 to 2.5.5.SP12-redhat-00013 JBEAP-20037 - [GSS](7.3.z) Upgrade wildfly-transaction-client from 1.1.11.Final-redhat-00001 to 1.1.13.Final-redhat-00001 JBEAP-20064 - (7.3.z) Update PR template to include PR-processor hints for wildfly-core-eap JBEAP-20087 - [GSS](7.3.z) WFLY-13147 - Deployment slowdown after WFLY upgrade (DeploymentArchive handling) JBEAP-20112 - (7.3.z) Upgrade smallrye-fault-tolerance to 4.2.1 6. References: https://access.redhat.com/security/cve/CVE-2020-1954 https://access.redhat.com/security/cve/CVE-2020-14299 https://access.redhat.com/security/cve/CVE-2020-14338 https://access.redhat.com/security/cve/CVE-2020-14340 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX4Xd1tzjgjWX9erEAQjcqA//c/8HQEEUWpTmYMfm2hwq1MWVEi/yDZbC Ut827xe5JWV0v6GPAPbQ2OFMSJZkxfsjUto5/FSUs92UHdX9QeuREgbHlEb2mRAd fdQqyjr6tiwz0bCeMWZlPfqsDk/djw0R+WylKbMjQ1c8NfqIu4BgT0dzQnvkLIdU RTCVcnGN/wKthPHV89TurK9A34Cis6VNp9xR/tNfx5iGSpB2JnyJsTZn+Nvm4M7R HvgFwobjDU+z5ICoTuxqmhrESBITgq+ElfBNU0tH5e0hsMranq0g+27E1E0NZwc2 LE/vPq4qlpzTpueqFbLU5wCoEtIQ6HXynU0caPWZTux2Ds4f+VD8xGkMmj3bSsW4 lfYPkPzQnYRSdcMqm4eS+IjFBLEdCkBi7Sfry3satR8j77WhdZgCQL1a7L2Hz+rj sAl29rXdoeenykG2JSvrQnz9V5QBhNZ4j2ICFO/Cu1bmq0ZpEgypdypWz1+W5jMD Uq4qY50urUWaOxh/c2WDlTzZOIC7zQ/XSnsmGNJKA/CjJ0161snyxclEYEqa8ETB no18Lm2vFbw4HB7zoN5D3Nzce5T9YEwsrDU7qhEXCboPYiJn8iu3pZCAcPUNdRm7 040OCQd9h5oqRCSy7zZsCAwXPt1kyWI6189xYzmAzV7lCVYUtU6JqejG6Nh0UWcd Rn/oyP7fqJg= =ikoz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX4ZB7eNLKJtyKPYoAQh+jw/8CANJD548c/wk4uNdnc5smvD7LPzTH0zn I/lc0vOe2aFd9xoyZzVA8HToj9CllRxDBEotcduKk6J46rGDkyRQti0H81rX+zbr P10bLBb6bkLsNjy279bw4NAoTF7iRXbUp12DHX7grC9/9YcIxq54ucKdwfq5M7fk lW4LKO8sb9oc8f4EQDNg0Sb3zRz3W6RUv/Wp18O1kaPcrlIhamCgA8tqFon3nlAh ugFhPCRq8TawDm8z5xMTrStS7ZeN3VlZZ9peY/7njXX0ZNL5nOw1+7Ii7D/UIhr+ CmpTPZI8T0LawWMeodL/czVJYwoCnv8bx2Yo3exK6FYQQk7FCzcPGp4E4Dqw0PtQ SvWZ/d0wQShSskqbkaHn3uD9/RvC8edVpgcDYcRT37qW2sB9zgbVVUGU6dfm0P2I PvwmyXHBdUPukJI0Awq6WQiO20ZaHomwNyODDQhnum/ykFZuN577ILBRtb+Dem8f b3nxO+AJhmjZSAPK7gLAZpaHVx033RCZQ3EwvYj0Yzrnw3qswkdqnpC3bzu/vVED OR4eiQ523TJYM2rCvMIZ7gOE1Pa5dK1wI32ore2/duvOdc5xB4W18BZ7outTgI2+ +2Cm+Qdu+blEScs8fgo4cGBzg8Mr6+MpXvQZGpujIa5B+BQD8tAYphPatHNLlXyS +/yLKP5r2JE= =x2hy -----END PGP SIGNATURE-----