Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4028
Red Hat JBoss Web Server 5.6.0 Security release
1 December 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: JBoss Web Server
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-42340 CVE-2021-33037 CVE-2021-30640
Reference: ESB-2021.3924
ESB-2021.3418
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:4863
https://access.redhat.com/errata/RHSA-2021:4861
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Web Server 5.6.0 Security release
Advisory ID: RHSA-2021:4863-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4863
Issue date: 2021-11-30
CVE Names: CVE-2021-30640 CVE-2021-33037 CVE-2021-42340
=====================================================================
1. Summary:
Red Hat JBoss Web Server 5.6.0 zip release is now available for Red Hat
Enterprise Linux 7, Red Hat Enterprise Linux 8, and Microsoft Windows.
Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.
This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for
Red Hat JBoss Web Server 5.5.0. This release includes bug fixes,
enhancements and component upgrades, which are documented in the Release
Notes, linked to in the References.
Security Fix(es):
* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could
lead to DoS (CVE-2021-42340)
* tomcat: HTTP request smuggling when used with a reverse proxy
(CVE-2021-33037)
* tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link for the
update. You must be logged in to download the update.
4. Bugs fixed (https://bugzilla.redhat.com/):
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
5. References:
https://access.redhat.com/security/cve/CVE-2021-30640
https://access.redhat.com/security/cve/CVE-2021-33037
https://access.redhat.com/security/cve/CVE-2021-42340
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYaZ/DtzjgjWX9erEAQi3UA//QSEBiCQANCuhABY6NludJ1noPdLJZ6Cj
bJCP+uXSqAN+l7VkGs4/TXYk6Jp5BehdB126+dZrAwr23B5XqA0QjkAdKQsapiLg
vbVto5aRwZ0UP7hgBapj+70i5BHd1bz3j7zox0WBxYynInnbQbsMqjMKADXnpi0D
+b/HV4kXDwfZ7roC2dtlreX3SEOKwTNFNpjhgT8SX5kxXEPJQ5Ucs8inyMVey7ef
BBLjtggVSXop6jLtQp7BFY75/WyY8EBDrE9mfM8aLpCZ5AKYsteAsLZ+QoxWlEiA
xQ2ZUDhrTdV2+DuaDikwgPPGJOkDCAdYTk9QrqmbCm4EMbWclse/ziQpdeODthFi
QNTQwrBof4D2KXYTM7V6EsVkrc6WkjJYjzKhf2rawsIjPiePicJKM4fWAKHOZbWI
3Sc/C4ZLQJPvDrmNCde5Yawf+1cGSjl4Ji4LnUixJKJKIzsCdO8u/KFzjdCRyzyK
mCXAczxTOggqpQGVUNLjHtpMXUP9YxW6Wes0EVBqEEZ92t3P/tPVpkJtsFpMOUBx
Dm6vGOhzfnFL0seJ7y2EW+1BzOPLnTGlHm37luHQ8A/p9H5Fm3q1FaPVZz0qWGx9
tuDVf+oZUQ/M1S9qOUkNIEWB+zT0D55eS6TWyQFSTQX5H4IfI38ZfPZIRsec+lcM
4w+bb5tnhXg=
=1nir
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Web Server 5.6.0 Security release
Advisory ID: RHSA-2021:4861-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2021:4861
Issue date: 2021-11-30
CVE Names: CVE-2021-30640 CVE-2021-33037 CVE-2021-42340
=====================================================================
1. Summary:
Updated Red Hat JBoss Web Server 5.6.0 packages are now available for Red
Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Web Server 5.6 for RHEL 7 Server - noarch, x86_64
Red Hat JBoss Web Server 5.6 for RHEL 8 - noarch, x86_64
3. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.
This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for
Red Hat JBoss Web Server 5.5.0. This release includes bug fixes,
enhancements and component upgrades, which are documented in the Release
Notes, linked to in the References.
Security Fix(es):
* tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could
lead to DoS (CVE-2021-42340)
* tomcat: HTTP request smuggling when used with a reverse proxy
(CVE-2021-33037)
* tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
6. Package List:
Red Hat JBoss Web Server 5.6 for RHEL 7 Server:
Source:
jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.src.rpm
jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.src.rpm
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.src.rpm
noarch:
jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-java-jdk11-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-java-jdk8-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm
jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
x86_64:
jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el7jws.x86_64.rpm
Red Hat JBoss Web Server 5.6 for RHEL 8:
Source:
jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.src.rpm
jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.src.rpm
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.src.rpm
noarch:
jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm
jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
x86_64:
jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.x86_64.rpm
jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el8jws.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-30640
https://access.redhat.com/security/cve/CVE-2021-33037
https://access.redhat.com/security/cve/CVE-2021-42340
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYaaMntzjgjWX9erEAQibyg/9E3I1wMpKriqTZKlf1tGcPt4wShPVNKMh
B4PC8t1vBZJZ2VBMrQJdmYBUKRn3mccCqUxd0ey/UfsacIoKvAACr18iXCxYc4cO
MeNqy7SWRO+Kwze2fYpBu7w5dR34yhUQAN8DAOui7DduZsS209X7WhShrLSjzF5j
g+nhRCi4l5QRwcy7NF4TAhmAN7f819BwDHQJI/ttaOHqEwsDnOlPNKbV0X4Hlkf5
5VRD/8ArImD7tqpSs/9YVh34MJLCVmVkWgHBDY0I06LcRSQJoRBZDEkoPRHQxU26
hKH5oDaVezm92RFFqfwo2HHY6eGJc/qTTcd/WeW4RDfx49+ARsOt2kvO2XcEo45A
iUue2MayqnfdQHRI7MMNaaWoNudI2MVBcbQYhkTZcgApZEmtCe4taeo0YUvFqUeJ
N1Awh8QIN5vqA7wKdtrHiQCMx/6/fqi3VtKN3LZEuUiRMM/sueqc1yob6piuU4Vk
nyHP0ULSyMYnrzoqKN1BwbobRYyXKbVR376qMtxhLMe71PXg26TgDC9seUnooNum
XgcRIdc7Q2WyGaFLxGE5fS0/7FagX/etRlg9DIHi27NVl0WXgmFVLC2ZumjfSoms
FgQUTPwa2Bt90Oat2u7vnB5MBvCR0+OAAsM8TK/cn/31F697MMTI6Qloiq2DDOt4
2c2PkIZ6XrY=
=6RkQ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYaavRONLKJtyKPYoAQi5bBAAgCbEMHc1FXYLtXKQOySSnV7Zxr9Vwfbm
u3ltKxee62aSGsJTSzIwFmFqH1DUqGsONsYpzl2gK7r7SmbLBbjLTQGj5Cp2rFfu
xr4qFFpbkMM0YjcveVRtAB/A+4keFHtFmshuEBVWXWsWiyg6VqUEUpE+t4HkAEWR
iVuysce/ORyPd94VgYUIZSvCUTItfS8d/h8/iYXsLX2SXj13SIDmM70H+4HcvT0O
XdMkx+2UNQyrK8DQiYa0lQs1I96rl1P42UH3NN/NDrx84fIaxVXPuveI4DyMHq5l
T5XJnQYGAT6nbVTrLl0mPBRZjBRcizetOqWOCECDHUtd/L5yEKhikEJYBlpyHWvY
HTxAQieZsxeAUwBM/C/HdZLDRvuSI/wuapyu6P69TGRpyuXGvxRhwX/kDbs/Ka4R
Y5wzGJJpUHjWiZW+hRxY2abPgi6OR8JO2s7zuhb6WfPt0+z2yBZr7n73Ta1OTfmO
f2iFDg/LFAHw81KrPsze/sMHM8r6H5UCow0owxGlQ7uzSlLah3aEWsu8MzJLoeFV
iDA76ccdyj3K8NQjKWWtCUQbv3fHlvElaNCCe6O3kxhgs+DinTS6w8hilnsMwttt
QuOMar/+JdTBU6mCTExdzkr9ieLx+fl78iTHSz30bYaOboEh1wNdFZPakVkec8WG
Qf8+w8EV2TE=
=uajq
-----END PGP SIGNATURE-----