Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3802 Red Hat JBoss Enterprise Application Platform 7.3 security update 5 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Enterprise Application Platform 7.3 Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-25644 Reference: ESB-2020.3536 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:4922 https://access.redhat.com/errata/RHSA-2020:4923 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3 security update Advisory ID: RHSA-2020:4922-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:4922 Issue date: 2020-11-04 CVE Names: CVE-2020-25644 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for BaseOS-8 - x86_64 Red Hat JBoss EAP 7.3 for RHEL 6 Server - x86_64 Red Hat JBoss EAP 7.3 for RHEL 7 Server - x86_64 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8. Security Fix(es): * wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL 6. Package List: Red Hat JBoss EAP 7.3 for RHEL 6 Server: Source: eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el6eap.src.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el6eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.12-1.Final_redhat_00001.1.el6eap.x86_64.rpm Red Hat JBoss EAP 7.3 for RHEL 7 Server: Source: eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el7eap.src.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el7eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.12-1.Final_redhat_00001.1.el7eap.x86_64.rpm Red Hat JBoss EAP 7.3 for BaseOS-8: Source: eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el8eap.src.rpm x86_64: eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el8eap.x86_64.rpm eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.12-1.Final_redhat_00001.1.el8eap.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6LL29zjgjWX9erEAQjQQw//absY2WPlYeXM2BLNyWPhuCuNwPiosu7r ezzlmU1LawVdMWJHEBY2YHVFwe9pFkO4JTQmKE0n5nZC8VTCTz4A3ombjZX6vFAr YSd8qf1BEtHxIDxZTyEVaqFXuhleJSsQstf8UEhtlDLlzpUZMmvtT/LroHNcKdsA TCk755XV1NgKQyWZN0xzwcF1ym6KDO7mFwN7qtUtBI7v7AGccgnWrDo7UajZiJKi vERfRWtVviCCmZXNLZaMp44/vwN3lu+I3WJ7Eaaq+mzyutgRd+1EqafMO1D+9j6W iixfDOeNeOMQNX4Dnt293PSo4JtWD6rr4W5bUq5DBxJUPW1XD64K9Wf1vDqrFog3 zC3s9nS0Qv9LcGNSzdewLNRhLRZkChl8MT0FepOtJzDMyCt1MiYGyHTSyOL+gpXW OrwsibT6PbPijA1CnYiRilet70HEVIoqpiwrR6+VclcU/4cjiWKcewbp3OgaHx1h fafNyoe6c3bZOtbUxwM/8G80kXg/jSU++ABBA6PpRt4vRb7aARhSfPWQwkWCjw7Q uqoa/btvWmtAWNcJ5pyYAYFcImkEdrBJyOZk4CgDiTtxMYObBMdy3JlJLy5pb/UG /4xlL0KIZQgAyGquROtnp322do9kXy3Gol9abbhmV5UVgO8LAFJWIqd/XLsxi4MA CbzldXOgJU0= =PlKV - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.3 security update Advisory ID: RHSA-2020:4923-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:4923 Issue date: 2020-11-04 CVE Names: CVE-2020-25644 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.3. Security Fix(es): * wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL (CVE-2020-25644) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL 5. References: https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX6LKctzjgjWX9erEAQh/8A/9FAgMi5bZ0Bi4Yhe1MC8cSDa8KuEaWMKV LhXCRJGBBXhJ0zlN9MGRgyXTmPFePUExCO9IzIGl1k7OTuv0fAn3YDozJzLuC64L uFoMrzvtW4DUnmoXOMI4GV91124kQyBG22ojf0RNAW5wZySQiUAGDLGqUt1xzAXe NckpYYueSqTr0gi6pm6XF+NBUAo4ZuyALtmBjzCcD8kNCT61A/X7RCeXYBj4gFn4 TLDs7qCM9+0MgIA5lH0EnmBTxsOsxRNXWNUw9tsgQZfczCN1h91hWNqc2DL+YeaI C3KBaYZpzCqXbGmlSNLCcr7959KZyN/mhdbb6ojLD3ZPogBaCWobsdB1yIQJMdF/ eF15/6+Wn5hjAjAzdj7Hx3PYGnn8pqsrQi59wGEiCXQTiWosgnx1xQFDM/EcMbSm IEo+Z+TPeeJsWmb1jziWbWtbvkBchw+I6LXtq85BBb6UmMMBzMv/EsJCwz9uUFwG W2d4tSoLTf9PsFlrsqcB9JvuTIoznHHL8GyjZUj7YkQgBKGMLpzKonNcwp0PFN2p 0NJVDiqyuULs9arPrX3GSZ8s5rO9iVRpsxXn+B0HEA85EGgJ6HX7VtQow7nC/G2q by4amJ/MtJTI0KTn9o5IBJy8nuyddUOCiAvTE2irMqVUOvVzoz6W/QMxH+7npDvR ZfpkiAmKRvU= =3t7j - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX6MyAuNLKJtyKPYoAQhzRBAAoOvyFpBo+G5RLiKiJVA5l5ljaCQ7JW2B h8jQ0SxpOZHFTQC7qp+RTss5qqgb0Q5ZST27J9Bb5yPtT4Kr+cQtRa3cIIYqYJZH E1CAH/x5EKhMbrXb29ytF14zbBogH3P3qpD5NVKj0ywMd5EY88uN/yK1dz/GzkVs u0WlEecqoRyYAhtCZDX8aQ2UVs7U1Z9Ah3Plpuxx76p5c2jZv6b2edgfAYcw9mA0 K0wrdfwg/QvWO9it+r0oTil6YeuKpY/LKPDsQ/3IklwZ6YWDBGEh9WUuNZmCd7if UARL+ec8PbbQRNdyJ6cO0L/UAghZ2jv3PtVgw2hJq9TTsaiOzsMDK8qUS2Cx2Ctc RKeblPug0tkG+uuntUUaLOdnGOg4gGKCWyNZ+pPN8qogTYO09I2tMpNESXuiVJHg ux+4MKgztDRSkwzpembUSw92ubTsW5FcirMQ+oqAftp87L7g2fTNXYZrRcOuoCg1 NK8UYb9nwfeB+2y0E2QENwP6sRJSuYLYE3eB2fIWD/oLJBADAKUtvkoVmopTDX5p yIuKsESYpGf4gF320OeN0mkIGa/4DXzUlwiwaQa8JnD8/Xt4dwSWjrCSLvQiLVhc qHuAcipfx75KJkwNyP1QldaO8sjk1m5WjAhZB5J/gPMhTNO4c4tQ/Eza4OjOGijN KL3k0GJ36EI= =sLYM -----END PGP SIGNATURE-----