Red Hat Security Advisory 2018-2470-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes. Issues addressed include insecure defaults.
7c59532733c38f637d3997844cec73a4dbac335476a98bc66adf427a840b3d53-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update
Advisory ID: RHSA-2018:2470-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2470
Issue date: 2018-08-16
CVE Names: CVE-2018-8014 CVE-2018-8019 CVE-2018-8020
=====================================================================
1. Summary:
An update is now available for Red Hat JBoss Web Server 3.1.
Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.
Security Fix(es):
* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for
all origins (CVE-2018-8014)
* tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019)
* tomcat-native: Mishandled OCSP responses can allow clients to
authenticate with revoked certificates (CVE-2018-8020)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
The following packages have been upgraded to a newer upstream version:
* OpenSSL (1.0.2n)
* APR (1.6.3)
CVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland (Red
Hat).
3. Solution:
Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
1581569 - CVE-2018-8020 tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates
1583998 - CVE-2018-8019 tomcat-native: Mishandled OCSP invalid response
5. JIRA issues fixed (https://issues.jboss.org/):
JWS-1042 - version.txt information is outdated
6. References:
https://access.redhat.com/security/cve/CVE-2018-8014
https://access.redhat.com/security/cve/CVE-2018-8019
https://access.redhat.com/security/cve/CVE-2018-8020
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW3WPWtzjgjWX9erEAQjl5A/8Deu9yTNmt4FBz2l24kIqbks3FrYHmLe6
IzdVcjS5Hy3Cs0Um9fx0xLX4r4+ONjJu2u6JgCbPX/m1BuLiA74RtCNJTzKUCgOV
R/6X3ve6oVmX+rx4aNAV3TAKguK7jTuhqNwd8g8sNSbtMmWpI5Tjinv76WTGAGzr
UZsZHjAep9MAmLLI/kKd4fiFoLEpby2UAo/jT+9eDL/CQj1EIc5N854NNvATfid7
ib+Op64qsmNhFr4hvZJ9Hq4W678K34hBHyRTlmcU2Cnwqx2/knIJcgpNeQTEGWPm
cpCj+8aYg4I91ih0rM3nEnnl92vb2iZT/EwusQfT/fCtvpk806/Wvu3IctQKUKgP
weqSqlqhp3THQEAXKaISvkRC52a3LHME0U4UEScw2fl2I3l4h+2Oz5fmOmApRBjD
8ZxeeIXqgdoncvDfr0AToPdrhV/oEsMyfIlsFvHCQTCFBV7+mKLQUkcN3wNfdbOv
uGFJ5/yeBbpSwcwvsuiiqrcB7Yf+5KYQTV5crYb+9ypBBDnAK3io7UHB6mc9uoCX
y8ihcJgDXlQQe85zNwcvjmlPrC+yq27Z5GLwrzUKChhhHqr4RbvhBjx5xQjf7wcY
n2GJUkF6hImie5oOSn0fzPClnlFvMHw0pidSGr19o5xeBxn8lHzykMczRLZ2KbR+
b6r30hMVGgE=
=BflZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed