Twenty Year Anniversary

Red Hat Security Advisory 2018-2470-01

Red Hat Security Advisory 2018-2470-01
Posted Aug 16, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-2470-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes. Issues addressed include insecure defaults.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2018-8014, CVE-2018-8019, CVE-2018-8020
MD5 | 0978b9a105f760eb1d02c662aad1ec27

Red Hat Security Advisory 2018-2470-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update
Advisory ID: RHSA-2018:2470-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2470
Issue date: 2018-08-16
CVE Names: CVE-2018-8014 CVE-2018-8019 CVE-2018-8020
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for
all origins (CVE-2018-8014)

* tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019)

* tomcat-native: Mishandled OCSP responses can allow clients to
authenticate with revoked certificates (CVE-2018-8020)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

The following packages have been upgraded to a newer upstream version:
* OpenSSL (1.0.2n)
* APR (1.6.3)

CVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland (Red
Hat).

3. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
1581569 - CVE-2018-8020 tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates
1583998 - CVE-2018-8019 tomcat-native: Mishandled OCSP invalid response

5. JIRA issues fixed (https://issues.jboss.org/):

JWS-1042 - version.txt information is outdated

6. References:

https://access.redhat.com/security/cve/CVE-2018-8014
https://access.redhat.com/security/cve/CVE-2018-8019
https://access.redhat.com/security/cve/CVE-2018-8020
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW3WPWtzjgjWX9erEAQjl5A/8Deu9yTNmt4FBz2l24kIqbks3FrYHmLe6
IzdVcjS5Hy3Cs0Um9fx0xLX4r4+ONjJu2u6JgCbPX/m1BuLiA74RtCNJTzKUCgOV
R/6X3ve6oVmX+rx4aNAV3TAKguK7jTuhqNwd8g8sNSbtMmWpI5Tjinv76WTGAGzr
UZsZHjAep9MAmLLI/kKd4fiFoLEpby2UAo/jT+9eDL/CQj1EIc5N854NNvATfid7
ib+Op64qsmNhFr4hvZJ9Hq4W678K34hBHyRTlmcU2Cnwqx2/knIJcgpNeQTEGWPm
cpCj+8aYg4I91ih0rM3nEnnl92vb2iZT/EwusQfT/fCtvpk806/Wvu3IctQKUKgP
weqSqlqhp3THQEAXKaISvkRC52a3LHME0U4UEScw2fl2I3l4h+2Oz5fmOmApRBjD
8ZxeeIXqgdoncvDfr0AToPdrhV/oEsMyfIlsFvHCQTCFBV7+mKLQUkcN3wNfdbOv
uGFJ5/yeBbpSwcwvsuiiqrcB7Yf+5KYQTV5crYb+9ypBBDnAK3io7UHB6mc9uoCX
y8ihcJgDXlQQe85zNwcvjmlPrC+yq27Z5GLwrzUKChhhHqr4RbvhBjx5xQjf7wcY
n2GJUkF6hImie5oOSn0fzPClnlFvMHw0pidSGr19o5xeBxn8lHzykMczRLZ2KbR+
b6r30hMVGgE=
=BflZ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    15 Files
  • 14
    Dec 14th
    14 Files
  • 15
    Dec 15th
    2 Files
  • 16
    Dec 16th
    3 Files
  • 17
    Dec 17th
    15 Files
  • 18
    Dec 18th
    1 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close