Red Hat Security Advisory 2020-3779-01 - Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project. This release of Red Hat Data Grid 7.3.7 serves as a replacement for Red Hat Data Grid 7.3.6 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum. Issues addressed include XML injection, bypass, and improper authorization vulnerabilities.
bda9f859f02dbc7e3933821e8b9f636c5252aa584253a3ce3cca3733655cb6b0-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Data Grid 7.3.7 security update
Advisory ID: RHSA-2020:3779-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3779
Issue date: 2020-09-17
CVE Names: CVE-2017-7658 CVE-2019-10172 CVE-2020-1695
CVE-2020-1710 CVE-2020-1719 CVE-2020-1745
CVE-2020-1748 CVE-2020-1757 CVE-2020-8840
CVE-2020-9488 CVE-2020-9546 CVE-2020-9547
CVE-2020-9548 CVE-2020-10672 CVE-2020-10673
CVE-2020-10714 CVE-2020-10968 CVE-2020-10969
CVE-2020-11111 CVE-2020-11112 CVE-2020-11113
CVE-2020-11612 CVE-2020-11619 CVE-2020-11620
====================================================================
1. Summary:
An update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the
Infinispan project.
This release of Red Hat Data Grid 7.3.7 serves as a replacement for Red Hat
Data Grid 7.3.6 and includes bug fixes and enhancements, which are
described in the Release Notes, linked to in the References section of this
erratum.
Security Fix(es):
* jetty: Incorrect header handling (CVE-2017-7658)
* EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710)
* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)
* undertow: servletPath is normalized incorrectly leading to dangerous
application mapping which could result in security bypass (CVE-2020-1757)
* jackson-databind: Lacks certain xbean-reflect/JNDI blocking
(CVE-2020-8840)
* jackson-databind: Serialization gadgets in shaded-hikari-config
(CVE-2020-9546)
* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)
* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)
* jackson-databind: mishandles the interaction between serialization
gadgets and typing which could result in remote command execution
(CVE-2020-10672)
* jackson-databind: mishandles the interaction between serialization
gadgets and typing which could result in remote command execution
(CVE-2020-10673)
* jackson-databind: Serialization gadgets in
org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)
* jackson-databind: Serialization gadgets in javax.swing.JEditorPane
(CVE-2020-10969)
* jackson-databind: Serialization gadgets in
org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)
* jackson-databind: Serialization gadgets in
org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)
* jackson-databind: Serialization gadgets in
org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)
* jackson-databind: Serialization gadgets in org.springframework:spring-aop
(CVE-2020-11619)
* jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
(CVE-2020-11620)
* jackson-mapper-asl: XML external entity similar to CVE-2016-3720
(CVE-2019-10172)
* resteasy: Improper validation of response header in
MediaTypeHeaderDelegate.java class (CVE-2020-1695)
* Wildfly: EJBContext principal is not popped back after invoking another
EJB using a different Security Domain (CVE-2020-1719)
* Wildfly: Improper authorization issue in WildFlySecurityManager when
using alternative protection domain (CVE-2020-1748)
* wildfly-elytron: session fixation when using FORM authentication
(CVE-2020-10714)
* netty: compression/decompression codecs don't enforce limits on buffer
allocation sizes (CVE-2020-11612)
* log4j: improper validation of certificate with host mismatch in SMTP
appender (CVE-2020-9488)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
To install this update, do the following:
1. Download the Data Grid 7.3.7 server patch from the customer portal. See
the download link in the References section.
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 7.3.7 server patch. Refer to the 7.3 Release Notes
for patching instructions.
4. Restart Data Grid to ensure the changes take effect.
4. Bugs fixed (https://bugzilla.redhat.com/):
1595621 - CVE-2017-7658 jetty: Incorrect header handling
1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230
1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability
1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain
1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
1816216 - CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes
1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking
1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config
1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap
1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core
1819208 - CVE-2020-10968 jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
1819212 - CVE-2020-10969 jackson-databind: Serialization gadgets in javax.swing.JEditorPane
1821304 - CVE-2020-11111 jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory
1821311 - CVE-2020-11112 jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider
1821315 - CVE-2020-11113 jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime
1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication
1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop
1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
5. References:
https://access.redhat.com/security/cve/CVE-2017-7658
https://access.redhat.com/security/cve/CVE-2019-10172
https://access.redhat.com/security/cve/CVE-2020-1695
https://access.redhat.com/security/cve/CVE-2020-1710
https://access.redhat.com/security/cve/CVE-2020-1719
https://access.redhat.com/security/cve/CVE-2020-1745
https://access.redhat.com/security/cve/CVE-2020-1748
https://access.redhat.com/security/cve/CVE-2020-1757
https://access.redhat.com/security/cve/CVE-2020-8840
https://access.redhat.com/security/cve/CVE-2020-9488
https://access.redhat.com/security/cve/CVE-2020-9546
https://access.redhat.com/security/cve/CVE-2020-9547
https://access.redhat.com/security/cve/CVE-2020-9548
https://access.redhat.com/security/cve/CVE-2020-10672
https://access.redhat.com/security/cve/CVE-2020-10673
https://access.redhat.com/security/cve/CVE-2020-10714
https://access.redhat.com/security/cve/CVE-2020-10968
https://access.redhat.com/security/cve/CVE-2020-10969
https://access.redhat.com/security/cve/CVE-2020-11111
https://access.redhat.com/security/cve/CVE-2020-11112
https://access.redhat.com/security/cve/CVE-2020-11113
https://access.redhat.com/security/cve/CVE-2020-11612
https://access.redhat.com/security/cve/CVE-2020-11619
https://access.redhat.com/security/cve/CVE-2020-11620
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?productÚta.grid&downloadType=securityPatches&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html/red_hat_data_grid_7.3_release_notes/index
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX2Nf/dzjgjWX9erEAQifjA/7BlSA2KK7e4RlxfRAP3Sj7xT+CRlFcOJn
NVVI6DNpfZNtD/TJ4M5JFMP/yzKb+/FoaGVUexqiUxQBcrYsViZdfwfQ6PSwQgd8
5GAtC0NINGYmr0y7m6sKbAwAofnmCoEjNPjpdfLG632Err4vXDT9pGx1RNIrfS0A
qaOSuf2BjZkD9A6Azroupq/ePmRnDBW4ovWF4ES415Pa5T7N4rmoyZ3UnGrbubmm
GisjzhBbFyjL2wM1gMtqKlf5Qdre0XQIio4YLEnK1DaS7qLS36L04UJP9rwtB/nn
aCOKZE/4Ch0gYcNlwniH4MK4Aiy/z/OGQopuhJoKFADJ3Y5lnJwCWDMjMKwWSj1G
DvKG4uSIa8l2oxGQURThwxY1Jr7sbQTy2QXCVoyZj9oOKoGel+qJaGVFVnwsOpB7
MB8nPAuINZ91RR7xSBLv/AyoLnXV3dI97kOyTwEhld6THIwAUWqk+V2y7M6Onlx9
Pf+whfe0ORHzeCj/UBZh2NqcuShUpjdE9aLyYyefa2VV4t+0L4XlIfnlNuL8Ja7j
wzLJlo/u8XMktoXRrBpMWZaCzcqN1+BTuQUXNZeqfNtgFmCgJVxp6tHyHni7flQq
P2M8FaCyQHyQ1ggSljgZ66AEdiwatYpqOxR4yUyrKmsXt9iPsX45TdA9zSKmF2Sb
PyKX8lLP6w8=n+2X
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed