Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0922 Red Hat JBoss Enterprise Application Platform security update 17 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat JBoss Enterprise Application Platform Publisher: Red Hat Operating System: Red Hat Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20250 CVE-2021-20220 CVE-2020-35510 CVE-2020-28052 CVE-2020-10687 CVE-2020-8908 Reference: ESB-2020.3065 ESB-2020.2826 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0885 Comment: This bulletin contains four (4) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update Advisory ID: RHSA-2021:0872-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:0872 Issue date: 2021-03-16 CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052 CVE-2020-35510 CVE-2021-20220 CVE-2021-20250 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for RHEL 6 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client (CVE-2020-35510) * bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052) * wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687 (CVE-2021-20220) * jboss-ejb-client: wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client (CVE-2021-20250) * guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908) 4. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client 1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687 1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001 JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001 JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019 JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20715 - Tracker bug for the EAP 7.3.6 release for RHEL-6 JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001 JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001 JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001 JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001 JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001 JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001 JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001 JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001 JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001 JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001 JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001 JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68 7. Package List: Red Hat JBoss EAP 7.3 for RHEL 6 Server: Source: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el6eap.src.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el6eap.src.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el6eap.src.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el6eap.src.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el6eap.src.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el6eap.src.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el6eap.src.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el6eap.src.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el6eap.src.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el6eap.src.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el6eap.src.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el6eap.src.rpm eap7-wildfly-http-client-1.0.25-1.Final_redhat_00001.1.el6eap.src.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el6eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-9.redhat_00019.1.el6eap.noarch.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-bouncycastle-mail-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-bouncycastle-pkix-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-bouncycastle-prov-1.68.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-guava-30.1.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el6eap.noarch.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el6eap.noarch.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-api-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-api-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-validator-1.4.27-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-5.Final_redhat_00006.1.el6eap.noarch.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-compensations-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jbossxts-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jts-idlj-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-jts-integration-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-api-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-bridge-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-integration-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-restat-util-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-narayana-txframework-5.9.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el6eap.noarch.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.11-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-client-common-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.25-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-javadocs-7.3.6-1.GA_redhat_00002.1.el6eap.noarch.rpm eap7-wildfly-modules-7.3.6-1.GA_redhat_00002.1.el6eap.noarch.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el6eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-35510 https://access.redhat.com/security/cve/CVE-2021-20220 https://access.redhat.com/security/cve/CVE-2021-20250 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFC6DdzjgjWX9erEAQinwA//QQioMLdx/TEKxOQZTvYT8u6B9lAP8WWc J4N8LNGdcFToicJ+6+HrSASoTO2cAP+smsoum2EthY+9pQQZnKbkYzZVIxHkb5Ob sAbBli3aYUNe1PWjjOXtPtcfZq06obphJf6k0uy6Xj6+hRN+Rhg+j92Aq6drEIEr 1C2AbrZ5WZtMWbwWk/cKpLyntjETGE/2Ulh7UBzmlfPZwpS9+AsthwbPKfk3sgOl IVu70V/fSYtsJ+hBJF62fliC1DRFVZmdtHk5mCcy/6GLKx6gu7KfRuKcn/+r8jG5 pmMxOno2nNQI1kbTD7K1Z7yFWx1H2/mc1LNXlFzu+raT6sNpzHCS63OpwVrsjyzr wRdqno2gEXWaqipkfD7X0v7/n7T9sKRTD8hTCYb4ACVtiT7BSEvjRPjjInkRhuLs t2/JYFD33pECUL3+Kpra+golkGW+cCfZk0xP7Mq3GiOK9ve/kEQoyM9UpyUpZ/Pt onKGc/xQD2hwBMwITU68oHnkZSwb4aGQA/gpkYED5t2oiqWsN8mIdRrkerEet8/K K8A0e0ycQFRZPVfHJy1adGvZhYCmnQBAuhNu+2UZjXoeZgQ6TB/nOKDNXtbGxy4b p0abGao+HJ7iCm5NQgqW2TULyqsWYiDRGNjYbOi+HTGn9lTF/LmhI64bnaTBIUnL F8BNkuUT5+0= =fyBq - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update Advisory ID: RHSA-2021:0873-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:0873 Issue date: 2021-03-16 CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052 CVE-2020-35510 CVE-2021-20220 CVE-2021-20250 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client (CVE-2020-35510) * bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052) * wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687 (CVE-2021-20220) * jboss-ejb-client: wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client (CVE-2021-20250) * guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908) 4. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client 1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687 1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001 JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001 JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019 JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20716 - Tracker bug for the EAP 7.3.6 release for RHEL-7 JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001 JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001 JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001 JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001 JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001 JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001 JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001 JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001 JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001 JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001 JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001 JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68 7. Package List: Red Hat JBoss EAP 7.3 for RHEL 7 Server: Source: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el7eap.src.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el7eap.src.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el7eap.src.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el7eap.src.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el7eap.src.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el7eap.src.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el7eap.src.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-http-client-1.0.25-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el7eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-mail-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-pkix-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-prov-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-guava-30.1.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-api-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-api-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-validator-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-compensations-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbossxts-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-idlj-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-integration-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-api-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-bridge-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-integration-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-util-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-txframework-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-modules-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-35510 https://access.redhat.com/security/cve/CVE-2021-20220 https://access.redhat.com/security/cve/CVE-2021-20250 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFC6PNzjgjWX9erEAQhwXw/+IcftYvV0k1bn5cPiB200OQaDYIqoqaf7 10hvauMXgYTx6CqYHVhBfJ9GGp0u+3RyhQroGQ0KX4/98D2SDcMduCMI+2MrMXlP Lh0/9BSfpeMha0ofuTeBr1Ut/YUthuC7hb6bmHmIu7WgVbllg5JdoSvczz8ssnMs h8JIlBh+3iLHAvE2HVEHiwEVTpuNpw7hJWnIOAyVZrInpWWKTtDs9DVodcopIOY1 tug3wDP7eVAFB5HY8eEjg8IzWXyDAD2/jH/KdlycbWUaddCQ1MHEfkpCoBqt3UPa TsIMyOiUx2dlF1vX62W3rJsGS4YMVWPpcgOqY6nFCpQngjZg2FN1lvwpeVlbUWH6 JCKTpyIOxUJnyQ0WC6CCn/K21trGj7VpeO5uyYBs9e1oel2ZvJjFdk+5Xu4SpO/u QucA/sz2yzMmGGMvQFnVyfLHZsb9yWh7ZXawmaGk4Pjl1UKkpgw+xqUbjf/x0oWi pjC+00IqXC+Sbq1ymcV+tBWMeBVYzoCY2ZMGQ7EV45EXniWM28M2+DJspp50c5HP QlYBHjdZxgvvKmrZHXOqqLNweVsOm/2vQVW097WTGH4LTDf3fTgWF6EuYuZu1cV1 hToZXAiaXQCP8F5ul44VWAw7ANraKzs1/gNWTCZvJFxX2m4AxrtBF+FRQ5lecpg6 OzFY6V140vk= =Q4ys - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update Advisory ID: RHSA-2021:0874-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:0874 Issue date: 2021-03-16 CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052 CVE-2020-35510 CVE-2021-20220 CVE-2021-20250 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client (CVE-2020-35510) * bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052) * wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687 (CVE-2021-20220) * jboss-ejb-client: wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client (CVE-2021-20250) * guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908) 4. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client 1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687 1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001 JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001 JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019 JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20717 - Tracker bug for the EAP 7.3.6 release for RHEL-8 JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001 JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001 JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001 JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001 JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001 JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001 JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001 JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001 JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001 JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001 JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001 JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68 7. Package List: Red Hat JBoss EAP 7.3 for BaseOS-8: Source: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el8eap.src.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el8eap.src.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el8eap.src.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el8eap.src.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el8eap.src.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el8eap.src.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el8eap.src.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-http-client-1.0.25-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el8eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-9.redhat_00019.1.el8eap.noarch.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-mail-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-pkix-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-bouncycastle-prov-1.68.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-guava-30.1.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el8eap.noarch.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el8eap.noarch.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-api-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-api-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-validator-1.4.27-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-5.Final_redhat_00006.1.el8eap.noarch.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-compensations-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jbossxts-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-idlj-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-jts-integration-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-api-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-bridge-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-integration-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-restat-util-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-narayana-txframework-5.9.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.11-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-client-common-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.25-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.3.6-1.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-modules-7.3.6-1.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el8eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-35510 https://access.redhat.com/security/cve/CVE-2021-20220 https://access.redhat.com/security/cve/CVE-2021-20250 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFC50dzjgjWX9erEAQgPxQ/+Iju5zlYLiYdk7wE9qAtkJGIzfX8BqhQe 2J+/jKdOk8WoYbHaxT+X2w4BqHsVW/U2paYprzaevzAxGYQIiJUndPZTqVRhh50f 0Qu+B6h86kWVgvasepjhCj8BxnM1TkzQj6sWMcFPJsktivOCa5bbqv2BU/zzZoDs gNnZHBAX3wroDptZ5NPo70wJKzYC/nz5AlIbFN3PHJSkaGSe+DVdBH+OuX9MVabV cgomDk/PPWDz3iSKiIoXEorVY//INtt7c6eQ4qToVv8+azM8pBzLkzmzFmwmjNKh cNyOU8aMJUI/onmGaLdw4aodOKwePRPvY9wTxj4FcHdXEp0pU2r/ivjMIMs2Gmg1 mTzCKKL3pQaI6cIEs+K4WheF8e5TvUrlIOdd5fMGhfUTAx5WHx7AQj01KhYAFKI0 HLjRaNpF+tHr800PoiLQkkhg6IZ38h0KA1aZ7RaCkw90Adcy+U8ejrcaOnCdp18u Tw2VOF/M816WDFZmu8R8ek1miiIxRs4aLm1Pxna1wKQ/91WqPf1OqhTFqV6YQPzR M7e+p/Gol2qulobvuFSWAQnnjcOZ2PbT0KEle4ikokO8jaBeErzfoAFxQK5vxWZz CuJo2ApDky63Kc1ZRrWfBMltWrvHesky7qE6iAxNRbwQcCIz2+Bdk1KNFz/ZgXkU nFu2QOgd2ec= =HSpl - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update Advisory ID: RHSA-2021:0885-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:0885 Issue date: 2021-03-16 CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052 CVE-2020-35510 CVE-2021-20220 CVE-2021-20250 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client (CVE-2020-35510) * bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052) * wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687 (CVE-2021-20220) * jboss-ejb-client: wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client (CVE-2021-20250) * guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908) 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client 1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687 1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client 5. JIRA issues fixed (https://issues.jboss.org/): JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001 JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001 JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019 JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001 JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001 JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001 JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001 JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001 JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001 JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001 JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001 JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001 JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001 JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001 JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68 6. References: https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-35510 https://access.redhat.com/security/cve/CVE-2021-20220 https://access.redhat.com/security/cve/CVE-2021-20250 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFCwktzjgjWX9erEAQheaxAAlOOQwFBCrQt65iPtvo6SWihpfPGIKsnf zEJXKq+kvvtN5h+qBCcAeA9yDH8Ful6/kdsk0bZwZdih7Jcmxzo9zeq7uu3txnuQ /ML9us16c5ziAUn5x63BTckmHLJlSC5Y/8BcWJViEunD7NtiVJhBXVrwQZn25KUX +ifej3XV3WY05TfU7RCI7iCAONrZmF40qtliykLgp7k6fNnkgy/xFRI5tmX4u22O RcXypZ6QEfH2sscejp3ld2U3smNFltbiVdxo0xgwMmzV1YRYFJG3g/KZ/a5LXuH3 nhwJuIcwFSbKUiFXDuseo0Nh59vM+0kfeQd0XyS0uqN521SFneyAaBVgCGJ5KMZz VhbuE/mosG9gRBLatSplaHxQjP7KON3XefE+7A8HRep93ATgWypK0u6LMCTNnxpk SdJI4K9q/Il4z2/cDZ/DEb2gkQoKFa/aSDMKDrbU2foR2DofuJTUzvcxQ6GSFDBB cC9/cKUmHjdoNMPqnImFPem32KIc2dwtQaSDODQMnTvI0ZcdHCwqHpDrw6Vd0Zdd bMp1p2t56Dpw3ImDZTI04p8my/X6J0w9RHkbfnON0yepHAU+MYquQK2ghCtmwmp8 Wu0g38Zu9Wx110J1mypYIEhp903ckNg6uI+yVEZaeOFFQqudZ838uYqkYewmkeEJ NedoWoNbNfw= =Pxds - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYFFUeONLKJtyKPYoAQhwNA/+OHrC90UI3ytI6st6EQhToEloEsVUWgx/ l+a+vysBEVhyTG47gQz+OGWhIz9NfXLj6TGb0R8Bx8t5mOxXPnh9QsittA5/iNlC 75ns564WetKJ8l3QuQOx69t1JoVWe2xnSxKDoMYv1OOgTl+SRcD5JAd8ydZ+mjS7 6yhLMNFSRfQ+BKcRZ54KaS3C7M1n8mcH91deq7jEC/VtFOKgohMLMDPJOnbMtYKk JsEAT+pIL7D4R5P7stjV+KHeTjZJqN/TGRvuJi8vCmsuHavm+l4sCy0IqD7luKsQ fA6rBAd3JJMkhcTruMXLQ/V0xPcwgNidxv2rDDJgtx0/NZyu/jQiwvYboIedM7hx lQJH8fTx9Tt3dAuJryU8s7mlXuu8Ku1xisxDe/kL1Brp53q7FJSu1o4u6gq4l/5L ug1Jrjkz+zOvhLUM+Hr5j1tElWcp8iPgISVcKZqLpxN/rpei3qfMdU99k8UxnnDw 2tShUfMp89vGjzHcHb9iGtBF1xjrD5WN8yJ5qtG7HzExDCZJkvbUCRhqR/f+2AuD bVGFbc6pos+fDjblVmCf/WqZ8cKu/yTJYyl5w7iNBHdTyMtno7n9OJMHkntdErP0 66X9JU3OR0BTVBUABSXznHiISD2eNS49wlwh8pcxEoHaXy+jLyjeMCH/CXjaCVw7 +JaCUN6/wIA= =DRf3 -----END PGP SIGNATURE-----