what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2020-2565-01

Red Hat Security Advisory 2020-2565-01
Posted Jun 16, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-2565-01 - Red Hat JBoss Enterprise Application Platform CD18 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD18 includes bug fixes and enhancements. Issues addressed include denial of service and memory leak vulnerabilities.

tags | advisory, java, denial of service, vulnerability, memory leak
systems | linux, redhat
advisories | CVE-2019-14838, CVE-2019-19343, CVE-2019-3805, CVE-2019-9511, CVE-2019-9512, CVE-2019-9514, CVE-2019-9515, CVE-2020-11619, CVE-2020-11620
SHA-256 | f41351cfb3dfcc9a2649d77ee8e9fcfbaa9cf3b363ffad837f8af26dfb1c62db

Red Hat Security Advisory 2020-2565-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: EAP Continuous Delivery Technical Preview Release 18 security update
Advisory ID: RHSA-2020:2565-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2565
Issue date: 2020-06-15
CVE Names: CVE-2019-3805 CVE-2019-9511 CVE-2019-9512
CVE-2019-9514 CVE-2019-9515 CVE-2019-14838
CVE-2019-19343 CVE-2020-11619 CVE-2020-11620
====================================================================
1. Summary:

This is a security update for JBoss EAP Continuous Delivery 18.0.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform CD18 is a platform for Java
applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform CD18 includes
bug fixes and enhancements.

Security Fix(es):

* jackson-databind: Serialization gadgets in org.springframework:spring-aop
(CVE-2020-11619)
* jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
(CVE-2020-11620)
* wildfly: Race condition on PID file allows for termination of arbitrary
processes by local users (CVE-2019-3805)
* undertow: HTTP/2: large amount of data requests leads to denial of
service (CVE-2019-9511)
* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory
growth (CVE-2019-9514)
* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory
growth (CVE-2019-9515)
* undertow: HTTP/2: flood using PING frames results in unbounded memory
growth (CVE-2019-9512)
* wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and
'Deployer' user by default (CVE-2019-14838)
* undertow: Memory Leak in Undertow HttpOpenListener due to holding
remoting connections indefinitely (CVE-2019-19343)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, back up your existing Red Hat JBoss Enterprise
Application Platform installation and deployed applications.

You must restart the JBoss server process for the update to take effect.

The References section of this erratum contains a download link (you must
log in to download the update)

4. Bugs fixed (https://bugzilla.redhat.com/):

1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users
1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth
1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default
1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop

5. References:

https://access.redhat.com/security/cve/CVE-2019-3805
https://access.redhat.com/security/cve/CVE-2019-9511
https://access.redhat.com/security/cve/CVE-2019-9512
https://access.redhat.com/security/cve/CVE-2019-9514
https://access.redhat.com/security/cve/CVE-2019-9515
https://access.redhat.com/security/cve/CVE-2019-14838
https://access.redhat.com/security/cve/CVE-2019-19343
https://access.redhat.com/security/cve/CVE-2020-11619
https://access.redhat.com/security/cve/CVE-2020-11620
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXueq39zjgjWX9erEAQiVvw//WMAI8AuJgNj6ocD8JJbETwuAlv3Qjc2n
iZ29Nu4o7hQTR9GLyLu7f4Tcn9gzRfLUXFR4Ly0KknHTOluRcmYatf4pT1yM+1/Z
MP3SyS/HScdxvoKybcz0LgzT6D5HpfkskB49QYEQNI4TnWz88fKpET/fQc/kDUGS
mJ4EKGcZdYFzCHo2vuK28WCd1e612Dg2MSv7jfctJltwQQunJTsovKJdyFOaIUsV
U8GdYj8TL3PlARInizUioB/UA7tReRhkg97jjzQBqQXHUfNnwr3kSMHAWrANnvGx
m+1B+QLVdcT+22OvsXgdlksK4ceOleSFJ77kiIcuU9PSQ/FRArigDKrj5DQIUfjY
yG7xOE0h9AlMeoQUhyWikG0ZyYJ+v+S85cquWPZZiWuXesht8XAlyYpba1sz+Tuj
g/ASXhlUl9WRSAKIe6ijqNasi5vcs4kNnpcKJv4DZe+cJSLtU/QE9P7FUmXxJPuE
2MTonbkWRLtEAcOx6An0pJAQRGStqCCYd4hOP2KWcUgTe1rxbkidyq0ggo5LsRpT
+03VNDjJqkTBwTVc1OPEqCZYu4aa+45NJNDPwwiuse1BW0vw41SCoRDHe7QiWNrn
27CK6VcWpjJKybVLzKxkIas6MUJISdp7KAES5NgrKo/R3V3ycZCd2RJP0Ib8oevO
s+d7FrCZsfA=ZGb7
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close