what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2020-2321-01

Red Hat Security Advisory 2020-2321-01
Posted May 26, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-2321-01 - Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project. This release of Red Hat Data Grid 7.3.6 serves as a replacement for Red Hat Data Grid 7.3.5 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum. Issues addressed include HTTP request smuggling, cross site scripting, out of bounds read, and traversal vulnerabilities.

tags | advisory, web, vulnerability, xss
systems | linux, redhat
advisories | CVE-2018-10862, CVE-2019-0205, CVE-2019-0210, CVE-2019-10086, CVE-2019-10219, CVE-2019-14540, CVE-2019-16869, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-20444, CVE-2019-20445, CVE-2020-7238
SHA-256 | 37188b4f3d0ad45e53ae50f81ab79f3432ce0a83d98c55f4c8cc57bb3deb1677

Red Hat Security Advisory 2020-2321-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat Data Grid 7.3.6 security update
Advisory ID: RHSA-2020:2321-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2321
Issue date: 2020-05-26
CVE Names: CVE-2018-10862 CVE-2019-0205 CVE-2019-0210
CVE-2019-10086 CVE-2019-10219 CVE-2019-14540
CVE-2019-16869 CVE-2019-16942 CVE-2019-16943
CVE-2019-17267 CVE-2019-20444 CVE-2019-20445
CVE-2020-7238
====================================================================
1. Summary:

An update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the
Infinispan project.

This release of Red Hat Data Grid 7.3.6 serves as a replacement for Red Hat
Data Grid 7.3.5 and includes bug fixes and enhancements, which are
described in the Release Notes, linked to in the References section of this
erratum.

Security Fix(es):

* wildfly-core: Path traversal can allow the extraction of .war archives to
write arbitrary files (Zip Slip) (CVE-2018-10862)

* apache-commons-beanutils: does not suppresses the class property in
PropertyUtilsBean by default (CVE-2019-10086)

* netty: HTTP request smuggling by mishandled whitespace before the colon
in HTTP headers (CVE-2019-16869)

* netty: HTTP request smuggling (CVE-2019-20444)

* netty: HttpObjectDecoder.java allows Content-Length header to accompanied
by second Content-Length header (CVE-2019-20445)

* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace
mishandling (CVE-2020-7238)

* thrift: Endless loop when feed with specific input data (CVE-2019-0205)

* thrift: Out-of-bounds read related to TJSONProtocol or
TSimpleJSONProtocol (CVE-2019-0210)

* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)

* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
(CVE-2019-14540)

* jackson-databind: Serialization gadgets in
org.apache.commons.dbcp.datasources.* (CVE-2019-16942)

* jackson-databind: Serialization gadgets in
com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)

* jackson-databind: Serialization gadgets in classes of the ehcache package
(CVE-2019-17267)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

To install this update, do the following:

1. Download the Data Grid 7.3.6 server patch from the customer portal. See
the download link in the References section.
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 7.3.6 server patch. Refer to the 7.3 Release Notes
for patching instructions.
4. Restart Data Grid to ensure the changes take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1593527 - CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)
1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package
1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
1798524 - CVE-2019-20444 netty: HTTP request smuggling

5. References:

https://access.redhat.com/security/cve/CVE-2018-10862
https://access.redhat.com/security/cve/CVE-2019-0205
https://access.redhat.com/security/cve/CVE-2019-0210
https://access.redhat.com/security/cve/CVE-2019-10086
https://access.redhat.com/security/cve/CVE-2019-10219
https://access.redhat.com/security/cve/CVE-2019-14540
https://access.redhat.com/security/cve/CVE-2019-16869
https://access.redhat.com/security/cve/CVE-2019-16942
https://access.redhat.com/security/cve/CVE-2019-16943
https://access.redhat.com/security/cve/CVE-2019-17267
https://access.redhat.com/security/cve/CVE-2019-20444
https://access.redhat.com/security/cve/CVE-2019-20445
https://access.redhat.com/security/cve/CVE-2020-7238
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?productÚta.grid&downloadType=patches&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXs0/WtzjgjWX9erEAQj6YBAAprUkyGaWcz+RYX6fFXboPsTp+DryzK86
I0qkM7+AcdotKa113mC6JYxxCdTScRDpEMro4hlhgdk1tkFKarlT0ygK8pQiR0JP
lQ6Orkf267u6Dgl/WcycTYhmWL3ZnBujKf+Lw9hrI5BqHMCHkxUYTJtQoolqfEHR
Kjm84Ztf3xb29Olrcho4AkQQruHdoc9BYDN0cVdLcO4cprYhBFxU7PFXZy6+YtiJ
5QJwfeGnHIQcSLfaGjsLno2K4ZxRfwMX04xWn7hAaYRQV7CIfcPjqj0mCyEVfDND
0a3WbgiMwMvkT6B0E9e7fQy02nlQbPKvsTBcvb4f0a0iJ5fJYljMowcWl0j+7Jtj
CCdlaMEcVnk/ABF5ShP7HdB3gbEnPPQrFMIcpOwYDBxxnpR0PwqL8mGSroJD1Pp9
S2OLc0HxqMEKmiqtJWY74+ltCSIFx0GwdkimhWJ7wnQitpIFRNeWyAMdz9IuqVXX
Tcyys8aKXk+vZAYrCSckD4JFvguUPMcp9XJ7wANkHVlBgW0pcTdbro6jIii/xRZa
v4mWhkNkw9qr3aIkOZ+FdcNxDkhWWq8INV5+4I8ueqebBUibl6KLptcgbs5aUauz
KYhyKl0qcAczrmDGZK3EhvZzCWCm/NfLG8Mv9+YgIdErJg8xgeLceaoKlwDtbsWm
ajI0qVNl6BsÛVJ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close