Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3802
Red Hat JBoss Enterprise Application Platform 7.3 security update
5 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss Enterprise Application Platform 7.3
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-25644
Reference: ESB-2020.3536
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:4922
https://access.redhat.com/errata/RHSA-2020:4923
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3 security update
Advisory ID: RHSA-2020:4922-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4922
Issue date: 2020-11-04
CVE Names: CVE-2020-25644
=====================================================================
1. Summary:
An update is now available for Red Hat JBoss Enterprise Application
Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss EAP 7.3 for BaseOS-8 - x86_64
Red Hat JBoss EAP 7.3 for RHEL 6 Server - x86_64
Red Hat JBoss EAP 7.3 for RHEL 7 Server - x86_64
3. Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This asynchronous patch is a security update for Red Hat JBoss Enterprise
Application Platform 7.3 for Red Hat Enterprise Linux 6, 7, and 8.
Security Fix(es):
* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
(CVE-2020-25644)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, see the CVE page(s) listed in the
References section.
4. Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.
You must restart the JBoss server process for the update to take effect.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
6. Package List:
Red Hat JBoss EAP 7.3 for RHEL 6 Server:
Source:
eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el6eap.src.rpm
x86_64:
eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el6eap.x86_64.rpm
eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.12-1.Final_redhat_00001.1.el6eap.x86_64.rpm
Red Hat JBoss EAP 7.3 for RHEL 7 Server:
Source:
eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el7eap.src.rpm
x86_64:
eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el7eap.x86_64.rpm
eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.12-1.Final_redhat_00001.1.el7eap.x86_64.rpm
Red Hat JBoss EAP 7.3 for BaseOS-8:
Source:
eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el8eap.src.rpm
x86_64:
eap7-wildfly-openssl-linux-x86_64-1.0.12-1.Final_redhat_00001.1.el8eap.x86_64.rpm
eap7-wildfly-openssl-linux-x86_64-debuginfo-1.0.12-1.Final_redhat_00001.1.el8eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-25644
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX6LL29zjgjWX9erEAQjQQw//absY2WPlYeXM2BLNyWPhuCuNwPiosu7r
ezzlmU1LawVdMWJHEBY2YHVFwe9pFkO4JTQmKE0n5nZC8VTCTz4A3ombjZX6vFAr
YSd8qf1BEtHxIDxZTyEVaqFXuhleJSsQstf8UEhtlDLlzpUZMmvtT/LroHNcKdsA
TCk755XV1NgKQyWZN0xzwcF1ym6KDO7mFwN7qtUtBI7v7AGccgnWrDo7UajZiJKi
vERfRWtVviCCmZXNLZaMp44/vwN3lu+I3WJ7Eaaq+mzyutgRd+1EqafMO1D+9j6W
iixfDOeNeOMQNX4Dnt293PSo4JtWD6rr4W5bUq5DBxJUPW1XD64K9Wf1vDqrFog3
zC3s9nS0Qv9LcGNSzdewLNRhLRZkChl8MT0FepOtJzDMyCt1MiYGyHTSyOL+gpXW
OrwsibT6PbPijA1CnYiRilet70HEVIoqpiwrR6+VclcU/4cjiWKcewbp3OgaHx1h
fafNyoe6c3bZOtbUxwM/8G80kXg/jSU++ABBA6PpRt4vRb7aARhSfPWQwkWCjw7Q
uqoa/btvWmtAWNcJ5pyYAYFcImkEdrBJyOZk4CgDiTtxMYObBMdy3JlJLy5pb/UG
/4xlL0KIZQgAyGquROtnp322do9kXy3Gol9abbhmV5UVgO8LAFJWIqd/XLsxi4MA
CbzldXOgJU0=
=PlKV
- -----END PGP SIGNATURE-----
- ------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.3 security update
Advisory ID: RHSA-2020:4923-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:4923
Issue date: 2020-11-04
CVE Names: CVE-2020-25644
=====================================================================
1. Summary:
An update is now available for Red Hat JBoss Enterprise Application
Platform 7.3.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This asynchronous patch is a security update for Red Hat JBoss Enterprise
Application Platform 7.3.
Security Fix(es):
* wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
(CVE-2020-25644)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.
The References section of this erratum contains a download link (you must
log in to download the update).
The JBoss server process must be restarted for the update to take effect.
4. Bugs fixed (https://bugzilla.redhat.com/):
1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
5. References:
https://access.redhat.com/security/cve/CVE-2020-25644
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX6LKctzjgjWX9erEAQh/8A/9FAgMi5bZ0Bi4Yhe1MC8cSDa8KuEaWMKV
LhXCRJGBBXhJ0zlN9MGRgyXTmPFePUExCO9IzIGl1k7OTuv0fAn3YDozJzLuC64L
uFoMrzvtW4DUnmoXOMI4GV91124kQyBG22ojf0RNAW5wZySQiUAGDLGqUt1xzAXe
NckpYYueSqTr0gi6pm6XF+NBUAo4ZuyALtmBjzCcD8kNCT61A/X7RCeXYBj4gFn4
TLDs7qCM9+0MgIA5lH0EnmBTxsOsxRNXWNUw9tsgQZfczCN1h91hWNqc2DL+YeaI
C3KBaYZpzCqXbGmlSNLCcr7959KZyN/mhdbb6ojLD3ZPogBaCWobsdB1yIQJMdF/
eF15/6+Wn5hjAjAzdj7Hx3PYGnn8pqsrQi59wGEiCXQTiWosgnx1xQFDM/EcMbSm
IEo+Z+TPeeJsWmb1jziWbWtbvkBchw+I6LXtq85BBb6UmMMBzMv/EsJCwz9uUFwG
W2d4tSoLTf9PsFlrsqcB9JvuTIoznHHL8GyjZUj7YkQgBKGMLpzKonNcwp0PFN2p
0NJVDiqyuULs9arPrX3GSZ8s5rO9iVRpsxXn+B0HEA85EGgJ6HX7VtQow7nC/G2q
by4amJ/MtJTI0KTn9o5IBJy8nuyddUOCiAvTE2irMqVUOvVzoz6W/QMxH+7npDvR
ZfpkiAmKRvU=
=3t7j
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX6MyAuNLKJtyKPYoAQhzRBAAoOvyFpBo+G5RLiKiJVA5l5ljaCQ7JW2B
h8jQ0SxpOZHFTQC7qp+RTss5qqgb0Q5ZST27J9Bb5yPtT4Kr+cQtRa3cIIYqYJZH
E1CAH/x5EKhMbrXb29ytF14zbBogH3P3qpD5NVKj0ywMd5EY88uN/yK1dz/GzkVs
u0WlEecqoRyYAhtCZDX8aQ2UVs7U1Z9Ah3Plpuxx76p5c2jZv6b2edgfAYcw9mA0
K0wrdfwg/QvWO9it+r0oTil6YeuKpY/LKPDsQ/3IklwZ6YWDBGEh9WUuNZmCd7if
UARL+ec8PbbQRNdyJ6cO0L/UAghZ2jv3PtVgw2hJq9TTsaiOzsMDK8qUS2Cx2Ctc
RKeblPug0tkG+uuntUUaLOdnGOg4gGKCWyNZ+pPN8qogTYO09I2tMpNESXuiVJHg
ux+4MKgztDRSkwzpembUSw92ubTsW5FcirMQ+oqAftp87L7g2fTNXYZrRcOuoCg1
NK8UYb9nwfeB+2y0E2QENwP6sRJSuYLYE3eB2fIWD/oLJBADAKUtvkoVmopTDX5p
yIuKsESYpGf4gF320OeN0mkIGa/4DXzUlwiwaQa8JnD8/Xt4dwSWjrCSLvQiLVhc
qHuAcipfx75KJkwNyP1QldaO8sjk1m5WjAhZB5J/gPMhTNO4c4tQ/Eza4OjOGijN
KL3k0GJ36EI=
=sLYM
-----END PGP SIGNATURE-----