what you don't know can hurt you

Red Hat Security Advisory 2018-2867-01

Red Hat Security Advisory 2018-2867-01
Posted Oct 3, 2018
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2018-2867-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Issues addressed include an information leakage vulnerability.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2018-8037
MD5 | 4a60c4dfbc4ce4112d5fbd7c85c19701

Red Hat Security Advisory 2018-2867-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update
Advisory ID: RHSA-2018:2867-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2867
Issue date: 2018-10-03
CVE Names: CVE-2018-8037
====================================================================
1. Summary:

An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and
Red Hat JBoss Web Server 5.0 for RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.

This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a
replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: Information Disclosure (CVE-2018-8037)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1607582 - CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up

5. JIRA issues fixed (https://issues.jboss.org/):

JWS-1028 - Failures in jBPM embedded use case with H2 database
JWS-1064 - Update the Tomcat fork of Commons DBCP 2 to 2.4.0
JWS-1065 - Tomcat Commons Pool Update
JWS-1121 - Update the internal fork of Apache Commons DBCP 2 to abc0484 (2018-08-09) to pick up some bug fixes and enhancements
JWS-1124 - ARJUNA016082: Synchronizations are not allowed! Transaction status isActionStatus.RUNNING when running jBPM engine in KIE server deployed to Tomcat
JWS-996 - Connection leak during XATransaction in high load

6. References:

https://access.redhat.com/security/cve/CVE-2018-8037
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW7THqNzjgjWX9erEAQhgBxAAgwpl1DjA+TIE/cOEgBlQZX4X3E5JrNCg
1dwWdv5Z14a7Nl5F/MdCzQvv0eGdfn41zXV+NN5ZDkPFDfa9bBsgHDop9uxYGZzR
PcBUvm225DvMk6us4EL730Qt75OiAAfDucbmd1p0WNKyEsZtqoMLEsXuU6cCQ3gs
/4PAuFx0G8JUBR9QilIa8RCnJEIqGKDBXk2vAxeAau14/3fku+D/KAKUFZCFUj7E
YtUYk2SC+AJ9cx1nD97SgFVZrcIJ1enEycpZvMLH0PzEFhjhPe36TRZ+eUKhZG6Z
9DdW7muv9hzXYvw0iFNjtkryHDIKgiDGmF6boQTaBlstzunnn9Pke9aWzbeeQUCp
1s6htjj86txJgiK9QROh27JvzokPwHChx3ru4QCHRDz0QVfjjz49fiCh9KMxadmp
mCcfqcgmNwKcMPPgyXYx7SOdlthCH23hVL+H0V7Tm8T6awXc0XtZKA2RtzQspfrJ
HMuu0WZiRx8akBhTk0AnBmMWmHHRIB9JxYpMJ1bOFyd900XiEM4Si/whuy5vDG7v
e5SGoN4Kmz1uq/oPaQexJEOKKBspVFWPqaRUtDR7g34mV67SLWWM6YnMjpexvpO3
v8vYqHQ/nfczdKtmOYGHfTiq7Z7jg/rGwGAy1khYG0w4OjUx3w44t1Ktrwnnm3Oj
eF2NcyN46CA=9lKT
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close