what you don't know can hurt you

Red Hat Security Advisory 2020-0860-01

Red Hat Security Advisory 2020-0860-01
Posted Mar 17, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-0860-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 8 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Issues addressed include a cross site scripting vulnerability.

tags | advisory, java, web, xss
systems | linux, redhat
advisories | CVE-2019-0221, CVE-2019-12418, CVE-2019-17563, CVE-2020-1938
MD5 | 6ba3b558d781a2b1987bc3aaaa7ddf4a

Red Hat Security Advisory 2020-0860-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 8 security update
Advisory ID: RHSA-2020:0860-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0860
Issue date: 2020-03-17
CVE Names: CVE-2019-0221 CVE-2019-12418 CVE-2019-17563
CVE-2020-1938
====================================================================
1. Summary:

An update is now available for Red Hat JBoss Web Server 3.1.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 8 serves as a
replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which
are documented in the Release Notes document linked to in the References.

Security Fix(es):

* tomcat: session fixation (CVE-2019-17563)

* tomcat: local privilege escalation (CVE-2019-12418)

* tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
(CVE-2020-1938)

* tomcat: XSS in SSI printenv (CVE-2019-0221)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1713275 - CVE-2019-0221 tomcat: XSS in SSI printenv
1785699 - CVE-2019-12418 tomcat: local privilege escalation
1785711 - CVE-2019-17563 tomcat: session fixation when using FORM authentication
1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability

5. References:

https://access.redhat.com/security/cve/CVE-2019-0221
https://access.redhat.com/security/cve/CVE-2019-12418
https://access.redhat.com/security/cve/CVE-2019-17563
https://access.redhat.com/security/cve/CVE-2020-1938
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1
https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html/3.1.0_release_notes/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXnDMptzjgjWX9erEAQjrdQ/+IapBuneDq6LpbBTAOPCG5CWZJyvgWtnc
/Q8/A/sppuUEFPEYcI/vPr+kaaI6NeKNr1ITdqPXGTKOb+0lHjnSAoy3hRQsqlg/
I7nw6t9BhQ8cBwkoSR5f1OM9YdltpzNZ/ZAJwOYO4QlK4UAw5s8JtRHCJdIqEbDB
8k5vwRJkEQe4PYoct8H7xY5kdCP9NjqV+rHBPDnJakWX1vShfPiNHTRwLe62BtfO
kxhudqlfplxxSr6sN7ZJxP5eJsOSCmwdVW9VcR+hgdSGzeZsKYb0EwM9tlODU+Sf
yx7HVNd0rV+XryrUSScEmtyRBYMDJp7oGTdY1Lfi8ursPz5GfGP9QfEZGiowxNXH
SD+9wCXzS+QIQgLcTfYKns6tj8ElulQV3/iobWD3SU0DvZjg3iOMws7XJ09JMvYt
FhwIvCtByUMna05uye7ZsC9vm7QrvdiKaq5RJ2s6Xw1p9fvW/dTeMuBwkxgbrARp
mJ4vUknGTfSUCySUf3AC1droh/yyE9/5UHbtzz4pgXNLwdmFJZlIR8sfedU1998k
/UK+fCb7yvlUgkdmSG9psLDkLyokQ0VwDyfV8F/JqeqCEA6jRjUQJF/vhrRRY7/X
/ARDwgYJAtNvkOloY8Mm9rvlAOoffpJDJvgjQdy6BdBcPKLloIPBc2vMeh4YwhN6
HUmyucXNc9M=TKsJ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close