Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0922
Red Hat JBoss Enterprise Application Platform security update
17 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat JBoss Enterprise Application Platform
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Cross-site Scripting -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20250 CVE-2021-20220 CVE-2020-35510
CVE-2020-28052 CVE-2020-10687 CVE-2020-8908
Reference: ESB-2020.3065
ESB-2020.2826
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0872
https://access.redhat.com/errata/RHSA-2021:0873
https://access.redhat.com/errata/RHSA-2021:0874
https://access.redhat.com/errata/RHSA-2021:0885
Comment: This bulletin contains four (4) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update
Advisory ID: RHSA-2021:0872-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0872
Issue date: 2021-03-16
CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052
CVE-2020-35510 CVE-2021-20220 CVE-2021-20250
=====================================================================
1. Summary:
A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.3 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss EAP 7.3 for RHEL 6 Server - noarch
3. Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.3.6 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* jboss-remoting: Threads hold up forever in the EJB server by suppressing
the ack from an EJB client (CVE-2020-35510)
* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)
* wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687
(CVE-2021-20220)
* jboss-ejb-client: wildfly: Information disclosure due to publicly
accessible privileged actions in JBoss EJB Client (CVE-2021-20250)
* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)
4. Solution:
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687
1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client
6. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001
JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001
JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019
JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20715 - Tracker bug for the EAP 7.3.6 release for RHEL-6
JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001
JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001
JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001
JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001
JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001
JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001
JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001
JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001
JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001
JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001
JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001
JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68
7. Package List:
Red Hat JBoss EAP 7.3 for RHEL 6 Server:
Source:
eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el6eap.src.rpm
eap7-bouncycastle-1.68.0-1.redhat_00001.1.el6eap.src.rpm
eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el6eap.src.rpm
eap7-guava-libraries-30.1.0-1.redhat_00001.1.el6eap.src.rpm
eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el6eap.src.rpm
eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el6eap.src.rpm
eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el6eap.src.rpm
eap7-narayana-5.9.11-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el6eap.src.rpm
eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el6eap.src.rpm
eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-wildfly-http-client-1.0.25-1.Final_redhat_00001.1.el6eap.src.rpm
eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el6eap.src.rpm
noarch:
eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-cli-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-commons-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-core-client-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-dto-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-hornetq-protocol-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-hqclient-protocol-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-jdbc-store-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-jms-client-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-jms-server-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-journal-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-ra-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-selector-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-server-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-service-extensions-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-activemq-artemis-tools-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm
eap7-bouncycastle-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm
eap7-bouncycastle-mail-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm
eap7-bouncycastle-pkix-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm
eap7-bouncycastle-prov-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm
eap7-guava-30.1.0-1.redhat_00001.1.el6eap.noarch.rpm
eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el6eap.noarch.rpm
eap7-guava-libraries-30.1.0-1.redhat_00001.1.el6eap.noarch.rpm
eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-common-api-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-common-impl-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-common-spi-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-core-api-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-core-impl-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-deployers-common-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-jdbc-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-ironjacamar-validator-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el6eap.noarch.rpm
eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el6eap.noarch.rpm
eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-cli-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-core-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-eap7.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-eap7.1-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-eap7.3-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.1-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly11.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly12.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly13.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly14.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly15.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly16.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly17.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly18.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly8.2-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-jboss-server-migration-wildfly9.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm
eap7-narayana-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-compensations-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-jbosstxbridge-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-jbossxts-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-jts-idlj-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-jts-integration-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-restat-api-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-restat-bridge-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-restat-integration-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-restat-util-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-narayana-txframework-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el6eap.noarch.rpm
eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el6eap.noarch.rpm
eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-wildfly-elytron-tool-1.10.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-wildfly-http-client-common-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-wildfly-http-ejb-client-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-wildfly-http-naming-client-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-wildfly-http-transaction-client-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-wildfly-javadocs-7.3.6-1.GA_redhat_00002.1.el6eap.noarch.rpm
eap7-wildfly-modules-7.3.6-1.GA_redhat_00002.1.el6eap.noarch.rpm
eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el6eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
8. References:
https://access.redhat.com/security/cve/CVE-2020-8908
https://access.redhat.com/security/cve/CVE-2020-10687
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2020-35510
https://access.redhat.com/security/cve/CVE-2021-20220
https://access.redhat.com/security/cve/CVE-2021-20250
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYFC6DdzjgjWX9erEAQinwA//QQioMLdx/TEKxOQZTvYT8u6B9lAP8WWc
J4N8LNGdcFToicJ+6+HrSASoTO2cAP+smsoum2EthY+9pQQZnKbkYzZVIxHkb5Ob
sAbBli3aYUNe1PWjjOXtPtcfZq06obphJf6k0uy6Xj6+hRN+Rhg+j92Aq6drEIEr
1C2AbrZ5WZtMWbwWk/cKpLyntjETGE/2Ulh7UBzmlfPZwpS9+AsthwbPKfk3sgOl
IVu70V/fSYtsJ+hBJF62fliC1DRFVZmdtHk5mCcy/6GLKx6gu7KfRuKcn/+r8jG5
pmMxOno2nNQI1kbTD7K1Z7yFWx1H2/mc1LNXlFzu+raT6sNpzHCS63OpwVrsjyzr
wRdqno2gEXWaqipkfD7X0v7/n7T9sKRTD8hTCYb4ACVtiT7BSEvjRPjjInkRhuLs
t2/JYFD33pECUL3+Kpra+golkGW+cCfZk0xP7Mq3GiOK9ve/kEQoyM9UpyUpZ/Pt
onKGc/xQD2hwBMwITU68oHnkZSwb4aGQA/gpkYED5t2oiqWsN8mIdRrkerEet8/K
K8A0e0ycQFRZPVfHJy1adGvZhYCmnQBAuhNu+2UZjXoeZgQ6TB/nOKDNXtbGxy4b
p0abGao+HJ7iCm5NQgqW2TULyqsWYiDRGNjYbOi+HTGn9lTF/LmhI64bnaTBIUnL
F8BNkuUT5+0=
=fyBq
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update
Advisory ID: RHSA-2021:0873-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0873
Issue date: 2021-03-16
CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052
CVE-2020-35510 CVE-2021-20220 CVE-2021-20250
=====================================================================
1. Summary:
A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.3 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss EAP 7.3 for RHEL 7 Server - noarch
3. Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.3.6 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* jboss-remoting: Threads hold up forever in the EJB server by suppressing
the ack from an EJB client (CVE-2020-35510)
* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)
* wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687
(CVE-2021-20220)
* jboss-ejb-client: wildfly: Information disclosure due to publicly
accessible privileged actions in JBoss EJB Client (CVE-2021-20250)
* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)
4. Solution:
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687
1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client
6. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001
JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001
JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019
JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20716 - Tracker bug for the EAP 7.3.6 release for RHEL-7
JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001
JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001
JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001
JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001
JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001
JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001
JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001
JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001
JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001
JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001
JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001
JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68
7. Package List:
Red Hat JBoss EAP 7.3 for RHEL 7 Server:
Source:
eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el7eap.src.rpm
eap7-bouncycastle-1.68.0-1.redhat_00001.1.el7eap.src.rpm
eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el7eap.src.rpm
eap7-guava-libraries-30.1.0-1.redhat_00001.1.el7eap.src.rpm
eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el7eap.src.rpm
eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el7eap.src.rpm
eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el7eap.src.rpm
eap7-narayana-5.9.11-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el7eap.src.rpm
eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el7eap.src.rpm
eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-wildfly-http-client-1.0.25-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el7eap.src.rpm
noarch:
eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-cli-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-commons-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-core-client-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-dto-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-hornetq-protocol-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-hqclient-protocol-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-jdbc-store-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-jms-client-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-jms-server-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-journal-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-ra-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-selector-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-server-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-service-extensions-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-activemq-artemis-tools-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm
eap7-bouncycastle-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm
eap7-bouncycastle-mail-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm
eap7-bouncycastle-pkix-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm
eap7-bouncycastle-prov-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm
eap7-guava-30.1.0-1.redhat_00001.1.el7eap.noarch.rpm
eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el7eap.noarch.rpm
eap7-guava-libraries-30.1.0-1.redhat_00001.1.el7eap.noarch.rpm
eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-api-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-impl-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-spi-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-core-api-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-core-impl-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-deployers-common-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-jdbc-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-validator-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-cli-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-core-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.1-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.3-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.1-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly11.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly12.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly13.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly14.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly15.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly16.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly17.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly18.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly8.2-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly9.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm
eap7-narayana-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-compensations-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-jbosstxbridge-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-jbossxts-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-jts-idlj-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-jts-integration-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-restat-api-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-restat-bridge-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-restat-integration-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-restat-util-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-narayana-txframework-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-elytron-tool-1.10.11-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-client-common-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-ejb-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-naming-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-transaction-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk11-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk8-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-javadocs-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-modules-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
8. References:
https://access.redhat.com/security/cve/CVE-2020-8908
https://access.redhat.com/security/cve/CVE-2020-10687
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2020-35510
https://access.redhat.com/security/cve/CVE-2021-20220
https://access.redhat.com/security/cve/CVE-2021-20250
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYFC6PNzjgjWX9erEAQhwXw/+IcftYvV0k1bn5cPiB200OQaDYIqoqaf7
10hvauMXgYTx6CqYHVhBfJ9GGp0u+3RyhQroGQ0KX4/98D2SDcMduCMI+2MrMXlP
Lh0/9BSfpeMha0ofuTeBr1Ut/YUthuC7hb6bmHmIu7WgVbllg5JdoSvczz8ssnMs
h8JIlBh+3iLHAvE2HVEHiwEVTpuNpw7hJWnIOAyVZrInpWWKTtDs9DVodcopIOY1
tug3wDP7eVAFB5HY8eEjg8IzWXyDAD2/jH/KdlycbWUaddCQ1MHEfkpCoBqt3UPa
TsIMyOiUx2dlF1vX62W3rJsGS4YMVWPpcgOqY6nFCpQngjZg2FN1lvwpeVlbUWH6
JCKTpyIOxUJnyQ0WC6CCn/K21trGj7VpeO5uyYBs9e1oel2ZvJjFdk+5Xu4SpO/u
QucA/sz2yzMmGGMvQFnVyfLHZsb9yWh7ZXawmaGk4Pjl1UKkpgw+xqUbjf/x0oWi
pjC+00IqXC+Sbq1ymcV+tBWMeBVYzoCY2ZMGQ7EV45EXniWM28M2+DJspp50c5HP
QlYBHjdZxgvvKmrZHXOqqLNweVsOm/2vQVW097WTGH4LTDf3fTgWF6EuYuZu1cV1
hToZXAiaXQCP8F5ul44VWAw7ANraKzs1/gNWTCZvJFxX2m4AxrtBF+FRQ5lecpg6
OzFY6V140vk=
=Q4ys
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update
Advisory ID: RHSA-2021:0874-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0874
Issue date: 2021-03-16
CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052
CVE-2020-35510 CVE-2021-20220 CVE-2021-20250
=====================================================================
1. Summary:
A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.3 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch
3. Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.3.6 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* jboss-remoting: Threads hold up forever in the EJB server by suppressing
the ack from an EJB client (CVE-2020-35510)
* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)
* wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687
(CVE-2021-20220)
* jboss-ejb-client: wildfly: Information disclosure due to publicly
accessible privileged actions in JBoss EJB Client (CVE-2021-20250)
* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)
4. Solution:
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687
1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client
6. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001
JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001
JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019
JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20717 - Tracker bug for the EAP 7.3.6 release for RHEL-8
JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001
JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001
JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001
JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001
JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001
JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001
JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001
JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001
JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001
JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001
JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001
JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68
7. Package List:
Red Hat JBoss EAP 7.3 for BaseOS-8:
Source:
eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el8eap.src.rpm
eap7-bouncycastle-1.68.0-1.redhat_00001.1.el8eap.src.rpm
eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el8eap.src.rpm
eap7-guava-libraries-30.1.0-1.redhat_00001.1.el8eap.src.rpm
eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el8eap.src.rpm
eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el8eap.src.rpm
eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el8eap.src.rpm
eap7-narayana-5.9.11-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el8eap.src.rpm
eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-http-client-1.0.25-1.Final_redhat_00001.1.el8eap.src.rpm
eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el8eap.src.rpm
noarch:
eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-cli-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-commons-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-core-client-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-dto-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-hornetq-protocol-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-hqclient-protocol-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-jdbc-store-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-jms-client-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-jms-server-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-journal-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-ra-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-selector-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-server-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-service-extensions-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-activemq-artemis-tools-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm
eap7-bouncycastle-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-bouncycastle-mail-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-bouncycastle-pkix-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-bouncycastle-prov-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-guava-30.1.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el8eap.noarch.rpm
eap7-guava-libraries-30.1.0-1.redhat_00001.1.el8eap.noarch.rpm
eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-common-api-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-common-impl-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-common-spi-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-core-api-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-core-impl-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-deployers-common-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-jdbc-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-ironjacamar-validator-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el8eap.noarch.rpm
eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-cli-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-core-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.1-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-eap7.3-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.1-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly11.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly12.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly13.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly14.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly15.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly16.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly17.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly18.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly8.2-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-jboss-server-migration-wildfly9.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm
eap7-narayana-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-compensations-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-jbosstxbridge-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-jbossxts-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-jts-idlj-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-jts-integration-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-restat-api-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-restat-bridge-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-restat-integration-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-restat-util-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-narayana-txframework-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el8eap.noarch.rpm
eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-elytron-tool-1.10.11-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-client-common-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-ejb-client-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-naming-client-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-http-transaction-client-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-wildfly-javadocs-7.3.6-1.GA_redhat_00002.1.el8eap.noarch.rpm
eap7-wildfly-modules-7.3.6-1.GA_redhat_00002.1.el8eap.noarch.rpm
eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el8eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
8. References:
https://access.redhat.com/security/cve/CVE-2020-8908
https://access.redhat.com/security/cve/CVE-2020-10687
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2020-35510
https://access.redhat.com/security/cve/CVE-2021-20220
https://access.redhat.com/security/cve/CVE-2021-20250
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYFC50dzjgjWX9erEAQgPxQ/+Iju5zlYLiYdk7wE9qAtkJGIzfX8BqhQe
2J+/jKdOk8WoYbHaxT+X2w4BqHsVW/U2paYprzaevzAxGYQIiJUndPZTqVRhh50f
0Qu+B6h86kWVgvasepjhCj8BxnM1TkzQj6sWMcFPJsktivOCa5bbqv2BU/zzZoDs
gNnZHBAX3wroDptZ5NPo70wJKzYC/nz5AlIbFN3PHJSkaGSe+DVdBH+OuX9MVabV
cgomDk/PPWDz3iSKiIoXEorVY//INtt7c6eQ4qToVv8+azM8pBzLkzmzFmwmjNKh
cNyOU8aMJUI/onmGaLdw4aodOKwePRPvY9wTxj4FcHdXEp0pU2r/ivjMIMs2Gmg1
mTzCKKL3pQaI6cIEs+K4WheF8e5TvUrlIOdd5fMGhfUTAx5WHx7AQj01KhYAFKI0
HLjRaNpF+tHr800PoiLQkkhg6IZ38h0KA1aZ7RaCkw90Adcy+U8ejrcaOnCdp18u
Tw2VOF/M816WDFZmu8R8ek1miiIxRs4aLm1Pxna1wKQ/91WqPf1OqhTFqV6YQPzR
M7e+p/Gol2qulobvuFSWAQnnjcOZ2PbT0KEle4ikokO8jaBeErzfoAFxQK5vxWZz
CuJo2ApDky63Kc1ZRrWfBMltWrvHesky7qE6iAxNRbwQcCIz2+Bdk1KNFz/ZgXkU
nFu2QOgd2ec=
=HSpl
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update
Advisory ID: RHSA-2021:0885-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0885
Issue date: 2021-03-16
CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052
CVE-2020-35510 CVE-2021-20220 CVE-2021-20250
=====================================================================
1. Summary:
A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.3.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.3.6 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* jboss-remoting: Threads hold up forever in the EJB server by suppressing
the ack from an EJB client (CVE-2020-35510)
* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)
* wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687
(CVE-2021-20220)
* jboss-ejb-client: wildfly: Information disclosure due to publicly
accessible privileged actions in JBoss EJB Client (CVE-2021-20250)
* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)
3. Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.
The References section of this erratum contains a download link (you must
log in to download the update).
The JBoss server process must be restarted for the update to take effect.
4. Bugs fixed (https://bugzilla.redhat.com/):
1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687
1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client
5. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001
JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001
JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019
JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final
JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001
JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001
JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001
JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001
JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001
JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001
JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001
JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001
JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001
JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001
JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001
JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68
6. References:
https://access.redhat.com/security/cve/CVE-2020-8908
https://access.redhat.com/security/cve/CVE-2020-10687
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2020-35510
https://access.redhat.com/security/cve/CVE-2021-20220
https://access.redhat.com/security/cve/CVE-2021-20250
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYFCwktzjgjWX9erEAQheaxAAlOOQwFBCrQt65iPtvo6SWihpfPGIKsnf
zEJXKq+kvvtN5h+qBCcAeA9yDH8Ful6/kdsk0bZwZdih7Jcmxzo9zeq7uu3txnuQ
/ML9us16c5ziAUn5x63BTckmHLJlSC5Y/8BcWJViEunD7NtiVJhBXVrwQZn25KUX
+ifej3XV3WY05TfU7RCI7iCAONrZmF40qtliykLgp7k6fNnkgy/xFRI5tmX4u22O
RcXypZ6QEfH2sscejp3ld2U3smNFltbiVdxo0xgwMmzV1YRYFJG3g/KZ/a5LXuH3
nhwJuIcwFSbKUiFXDuseo0Nh59vM+0kfeQd0XyS0uqN521SFneyAaBVgCGJ5KMZz
VhbuE/mosG9gRBLatSplaHxQjP7KON3XefE+7A8HRep93ATgWypK0u6LMCTNnxpk
SdJI4K9q/Il4z2/cDZ/DEb2gkQoKFa/aSDMKDrbU2foR2DofuJTUzvcxQ6GSFDBB
cC9/cKUmHjdoNMPqnImFPem32KIc2dwtQaSDODQMnTvI0ZcdHCwqHpDrw6Vd0Zdd
bMp1p2t56Dpw3ImDZTI04p8my/X6J0w9RHkbfnON0yepHAU+MYquQK2ghCtmwmp8
Wu0g38Zu9Wx110J1mypYIEhp903ckNg6uI+yVEZaeOFFQqudZ838uYqkYewmkeEJ
NedoWoNbNfw=
=Pxds
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYFFUeONLKJtyKPYoAQhwNA/+OHrC90UI3ytI6st6EQhToEloEsVUWgx/
l+a+vysBEVhyTG47gQz+OGWhIz9NfXLj6TGb0R8Bx8t5mOxXPnh9QsittA5/iNlC
75ns564WetKJ8l3QuQOx69t1JoVWe2xnSxKDoMYv1OOgTl+SRcD5JAd8ydZ+mjS7
6yhLMNFSRfQ+BKcRZ54KaS3C7M1n8mcH91deq7jEC/VtFOKgohMLMDPJOnbMtYKk
JsEAT+pIL7D4R5P7stjV+KHeTjZJqN/TGRvuJi8vCmsuHavm+l4sCy0IqD7luKsQ
fA6rBAd3JJMkhcTruMXLQ/V0xPcwgNidxv2rDDJgtx0/NZyu/jQiwvYboIedM7hx
lQJH8fTx9Tt3dAuJryU8s7mlXuu8Ku1xisxDe/kL1Brp53q7FJSu1o4u6gq4l/5L
ug1Jrjkz+zOvhLUM+Hr5j1tElWcp8iPgISVcKZqLpxN/rpei3qfMdU99k8UxnnDw
2tShUfMp89vGjzHcHb9iGtBF1xjrD5WN8yJ5qtG7HzExDCZJkvbUCRhqR/f+2AuD
bVGFbc6pos+fDjblVmCf/WqZ8cKu/yTJYyl5w7iNBHdTyMtno7n9OJMHkntdErP0
66X9JU3OR0BTVBUABSXznHiISD2eNS49wlwh8pcxEoHaXy+jLyjeMCH/CXjaCVw7
+JaCUN6/wIA=
=DRf3
-----END PGP SIGNATURE-----