what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2021-2210-01

Red Hat Security Advisory 2021-2210-01
Posted Jun 3, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-2210-01 - These are CVE issues filed against XP1 releases that have been fixed in the underlying EAP 7.3.x base, so no changes to the EAP XP1 code base. Issues addressed include bypass, code execution, and information leakage vulnerabilities.

tags | advisory, vulnerability, code execution
systems | linux, redhat
advisories | CVE-2020-13936, CVE-2020-28052, CVE-2020-35510, CVE-2020-8908, CVE-2021-20220, CVE-2021-20250, CVE-2021-21290
SHA-256 | 9691b25285d178232646384c2b04af0fd9b63a9114c31e28a05a6df16be9db85

Red Hat Security Advisory 2021-2210-01

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: EAP XP 1 security update to CVE fixes in the EAP 7.3.x base
Advisory ID: RHSA-2021:2210-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2210
Issue date: 2021-06-02
CVE Names: CVE-2020-8908 CVE-2020-13936 CVE-2020-28052
CVE-2020-35510 CVE-2021-20220 CVE-2021-20250
CVE-2021-21290
====================================================================
1. Summary:

This advisory resolves CVE issues filed against XP1 releases that have been
fixed in the underlying EAP 7.3.x base. There are no changes to the EAP XP1
code base.

NOTE: This advisory is informational only. There are no code changes
associated with it. No action is required.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

These are CVE issues filed against XP1 releases that have been fixed in the
underlying EAP 7.3.x base, so no changes to the EAP XP1 code base.

Security Fix(es):

* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)

* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)

* jboss-remoting: Threads hold up forever in the EJB server by suppressing
the ack from an EJB client (CVE-2020-35510)

* undertow: Possible regression in fix for CVE-2020-10687 (CVE-2021-20220)

* wildfly: Information disclosure due to publicly accessible privileged
actions in JBoss EJB Client (CVE-2021-20250)

* netty: Information disclosure via the local system temporary directory
(CVE-2021-21290)

* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

This advisory is informational only. There are no code changes associated
with it. No action is required.

4. Bugs fixed (https://bugzilla.redhat.com/):

1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687
1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates

5. References:

https://access.redhat.com/security/cve/CVE-2020-8908
https://access.redhat.com/security/cve/CVE-2020-13936
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2020-35510
https://access.redhat.com/security/cve/CVE-2021-20220
https://access.redhat.com/security/cve/CVE-2021-20250
https://access.redhat.com/security/cve/CVE-2021-21290
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/articles/5734021
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide
https://access.redhat.com/articles/5886431

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYLeUktzjgjWX9erEAQgwuxAAoE5FcOBf75luy5b546Zm+KLrc+lHXMWn
kjQ/yRJLCeabKIYQH091A15uqJxiTMcb+0poM2oHBTDEYmbKbDxUhWw2Q+eCkVhF
6OdzLy3FU9qMLi2WtS6US4Mtk0xUaEDr8VWd09RRqWB7IQYZiq93Dx7LVrwIpOUV
EpMLm+CwnALmNdLUMEbMm5mqhD7UUGFx2/iRyP/tTAqjW3uOkxDCQ/wCm32fxqTp
sEEgyBJHEoK+XZtuQKRhjHqweelCKCjK31WuiegNnPB1ZYXU2uZFtjBdeKg4BeoA
7UC8wHAvx1dqgGOKooECW+CaIZ+kXLwZuaSBMBiYdfcCpJz3vYTBlBGW2tZnftT3
o8q5UOiMTpSs6letZFlyoA+HmS3emh58RF1VCyAaQ7UTsFohFIxRCyg1PxTfQNLf
BVT9uOBP7L5yksrt+cxe8f0PPr6Krz4g09nPJCM8RQInjh4qHGeFgjuUrGy+aLgk
cxfQoNgUFrpNw/DvV+K7OZ9Ut4TsP+9FgrZfXA4diekB4Lzq8WNC7C8HBBxy3t3n
RagO+V5kZT77ulNnXVG3rr1X8SWPXd4sk8VY7BAwjX1X2XoE7gogRzoojh7AKGwV
BdrpRmBdXoHnIocuVOkgVx3pjP2fxhVG93lAkKv3KjBHBAtQZ3ujzkAT7uKOCbPD
oMoAg+Ex0fU=+Ekz
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close