what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2018-2470-01

Red Hat Security Advisory 2018-2470-01
Posted Aug 16, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-2470-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes. Issues addressed include insecure defaults.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2018-8014, CVE-2018-8019, CVE-2018-8020
SHA-256 | 7c59532733c38f637d3997844cec73a4dbac335476a98bc66adf427a840b3d53

Red Hat Security Advisory 2018-2470-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update
Advisory ID: RHSA-2018:2470-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2470
Issue date: 2018-08-16
CVE Names: CVE-2018-8014 CVE-2018-8019 CVE-2018-8020
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for
all origins (CVE-2018-8014)

* tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019)

* tomcat-native: Mishandled OCSP responses can allow clients to
authenticate with revoked certificates (CVE-2018-8020)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

The following packages have been upgraded to a newer upstream version:
* OpenSSL (1.0.2n)
* APR (1.6.3)

CVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland (Red
Hat).

3. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
1581569 - CVE-2018-8020 tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates
1583998 - CVE-2018-8019 tomcat-native: Mishandled OCSP invalid response

5. JIRA issues fixed (https://issues.jboss.org/):

JWS-1042 - version.txt information is outdated

6. References:

https://access.redhat.com/security/cve/CVE-2018-8014
https://access.redhat.com/security/cve/CVE-2018-8019
https://access.redhat.com/security/cve/CVE-2018-8020
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW3WPWtzjgjWX9erEAQjl5A/8Deu9yTNmt4FBz2l24kIqbks3FrYHmLe6
IzdVcjS5Hy3Cs0Um9fx0xLX4r4+ONjJu2u6JgCbPX/m1BuLiA74RtCNJTzKUCgOV
R/6X3ve6oVmX+rx4aNAV3TAKguK7jTuhqNwd8g8sNSbtMmWpI5Tjinv76WTGAGzr
UZsZHjAep9MAmLLI/kKd4fiFoLEpby2UAo/jT+9eDL/CQj1EIc5N854NNvATfid7
ib+Op64qsmNhFr4hvZJ9Hq4W678K34hBHyRTlmcU2Cnwqx2/knIJcgpNeQTEGWPm
cpCj+8aYg4I91ih0rM3nEnnl92vb2iZT/EwusQfT/fCtvpk806/Wvu3IctQKUKgP
weqSqlqhp3THQEAXKaISvkRC52a3LHME0U4UEScw2fl2I3l4h+2Oz5fmOmApRBjD
8ZxeeIXqgdoncvDfr0AToPdrhV/oEsMyfIlsFvHCQTCFBV7+mKLQUkcN3wNfdbOv
uGFJ5/yeBbpSwcwvsuiiqrcB7Yf+5KYQTV5crYb+9ypBBDnAK3io7UHB6mc9uoCX
y8ihcJgDXlQQe85zNwcvjmlPrC+yq27Z5GLwrzUKChhhHqr4RbvhBjx5xQjf7wcY
n2GJUkF6hImie5oOSn0fzPClnlFvMHw0pidSGr19o5xeBxn8lHzykMczRLZ2KbR+
b6r30hMVGgE=
=BflZ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close