what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2019-1424-01

Red Hat Security Advisory 2019-1424-01
Posted Jun 10, 2019
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2019-1424-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 7.2.2 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.1, and includes bug fixes and enhancements. Issues addressed include a cross site scripting vulnerability.

tags | advisory, java, xss
systems | linux, redhat
advisories | CVE-2019-3872, CVE-2019-3873, CVE-2019-3888
SHA-256 | acfd755efb73c460c95fb703be63aee1979ebad35501536289da50f062a7d80f

Red Hat Security Advisory 2019-1424-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.2.2 security update
Advisory ID: RHSA-2019:1424-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1424
Issue date: 2019-06-10
CVE Names: CVE-2019-3872 CVE-2019-3873 CVE-2019-3888
====================================================================
1. Summary:

An update is now available for Red Hat JBoss Enterprise Application
Platform 7.2 for Red Hat Enterprise Linux.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on JBoss Application Server 7.

This release of Red Hat JBoss Enterprise Application Platform 7.2.2 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.1,
and includes bug fixes and enhancements. Refer to the Red Hat JBoss
Enterprise Application Platform 7.2.2 Release Notes for information on the
most significant bug fixes and enhancements included in this release.

Security Fix(es):

* picketlink: reflected XSS in SAMLRequest via RelayState parameter
(CVE-2019-3872)

* picketlink: URL injection via xinclude parameter (CVE-2019-3873)

* undertow: leak credentials to log files
UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

The References section of this erratum contains a download link (you must
log in to download the update).

The JBoss server process must be restarted for the update to take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1688966 - CVE-2019-3872 picketlink: reflected XSS in SAMLRequest via RelayState parameter
1689014 - CVE-2019-3873 picketlink: URL injection via xinclude parameter
1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed

5. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-16124 - [Runtimes] (7.2.x) Upgrade hornetq from 2.4.7.redhat-1 to 2.4.7.redhat-2
JBEAP-16139 - [GSS](7.2.z) Upgrade javassist from 3.23.1.GA-redhat-00001 to 3.23.2-GA
JBEAP-16360 - (7.2.z) Upgrade RESTEasy from 3.6.1.SP3 to 3.6.1.SP5
JBEAP-16362 - [GSS](7.2.z) Upgrade XNIO from 3.6.5.Final-redhat-00001 to 3.6.6.Final-redhat-00001
JBEAP-16370 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.15 to 4.0.18
JBEAP-16453 - [GSS](7.2.z) Upgrade WildFly HTTP client from 1.0.13 to 1.0.15
JBEAP-16457 - (7.2.z) Upgrade Hibernate ORM from 5.3.9 to 5.3.10
JBEAP-16470 - [GSS](7.2.z) Upgrade JBoss Marshalling from 2.0.6 to 2.0.7
JBEAP-16471 - (7.2.z) Upgrade jgroups from 4.0.15 to 4.0.19
JBEAP-16473 - [GSS](7.2.z) Upgrade openjdk-orb from 8.1.2 to 8.1.3
JBEAP-16580 - (7.2.z) Upgrade WildFly Core from 6.0.12 to 6.0.14
JBEAP-16622 - [GSS](7.2.z) Upgrade Migration Tool from 1.3.0 to 1.3.1
JBEAP-16632 - [GSS](7.2.z) Upgrade JBoss Modules from 1.8.6 to 1.8.8
JBEAP-16633 - [GSS](7.2.z) Upgrade weld from 3.0.5 to 3.0.6
JBEAP-16670 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.8 to 5.0.9.Final-redhat-00001
JBEAP-16709 - (7.2.z) Upgrade IronJacamar from 1.4.15.Final to 1.4.16.Final
JBEAP-16717 - [GSS](7.2.z) Upgrade wildfly-discovery-client from 1.1.1.Final to 1.1.2.Final
JBEAP-16720 - (7.2.z) Upgrade WildFly Naming Client from 1.0.9.Final to 1.0.10.Final
JBEAP-16781 - (7.2.z) HHH-13376 Upgrade Javassist dependency to 3.23.2-GA
JBEAP-16881 - [GSS](7.2.z) [EAP] Upgrade wildfly-common from 1.4.0 to 1.5.1
JBEAP-16882 - [GSS](7.2.z) [WF Core] Upgrade wildfly-common from 1.4.0 to 1.5.1

6. References:

https://access.redhat.com/security/cve/CVE-2019-3872
https://access.redhat.com/security/cve/CVE-2019-3873
https://access.redhat.com/security/cve/CVE-2019-3888
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.2
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXP6KuNzjgjWX9erEAQiE9A/9EpU7O323xzS/BeBC1XlE1eu1TFX0e8nR
Rb2rYNirbU8wklm0UKkpwFs7juchzQcgT8uDJ18fPORQOpjVLUJQYWSRY6X8BWQe
nk+HfqOnFECiCBCNKC4FWdUb89MtDHEbWD7JMwzSMa/crx+SktLPl8F0KNuXmbIK
jeCzIQT89CmCU9oU8HY+CylnbnSqxj9m4OCNvyF/CP2ba8nkPMyuoT9uJiW9hb/i
wFbdH2NHz9tIXe02cSl4QmLxNCBCE6W3kbP8QA4SpBatrmOvZFbQUQnmeggKf58g
jtoZNyr9VFulx/tVCuacolr4yVa8DWgrmD1fpF+Fknrmu4sQ2VBwJkaEdPzKTst3
WFZfcwSXUzyyMONU6KvibmZz7NaLSN12prbuiUW+MWseLRcG6l8/JByJJNa4JnQm
FcgqrN34XsAZetm2BLCKBfaIMnuO2z+4nSg42M4J8C00Tmx+GHO7O5BoOwIZrl/E
CBxqZ4rFXvIn70v7jsmmjTutg1x3JlagQBFd32lypRHij4nxm1d0IyQqz2hV/vES
ljMiyJDhYqFLd6JSrcBNuTjnhR5pSM11p0VoW/Y6MHkTwgT86R5rmW/UlbREIknC
2pZ6IMfd3icktyw65NXXsb21d3TVpHc/keyTVrSfmKZqW9aLZT1+tU8XAdQW1ov/
B4O30h8ZfbA=v5UQ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close