-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 7 security and bug fix update Advisory ID: RHSA-2019:1712-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2019:1712 Issue date: 2019-07-09 CVE Names: CVE-2018-0739 CVE-2019-0232 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 7 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: Remote Code Execution on Windows (CVE-2019-0232) * openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service (CVE-2018-0739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1561266 - CVE-2018-0739 openssl: Handling of crafted recursive ASN.1 structures can cause a stack overflow and resulting denial of service 1701056 - CVE-2019-0232 tomcat: Remote Code Execution on Windows 5. JIRA issues fixed (https://issues.jboss.org/): JWS-1303 - Body text property replacement fails [jws3] JWS-1414 - Tomcat frequently hangs at startup when Jolokia loads certificate [jws-3] 6. References: https://access.redhat.com/security/cve/CVE-2018-0739 https://access.redhat.com/security/cve/CVE-2019-0232 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html/3.1.0_release_notes/index 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXSSdM9zjgjWX9erEAQjiyBAAm7poF66coR0wLnb9mmsmEl5gT8+oqM+Z QByRSEmp+cOIzzmz2JA0oRAAiq6if7D8jbcnK0+bEO9upkje9EDT7Y0whjq4zui4 q938wRWMS4OoxGqWqYwPJZV9WVTbshHTaQ42dBPjDtE64P7o/ZJgbshO/znVDTFK crIC4h5GLawcBsGCApcGkxlfJQG/VzhTdBQkrVJGM4ovZ7zgFASNkQdoHN4x9st3 NPZPDO3TbhKBougI9D8UcfqOLUvkGaMljYnqAsbheXb1T1E0gX3mNO/qfc7lVdKO Yh2tNL+sfHAa6/EQ9bH7OKsdxhR4szeCV/os8i7NSJgN0QbwpOsAXTi4T80wphl2 krX3EPL3/Xsp9u+FMA2dkPXSUAJAEob++7p4r6tEEg4Q8q8wdx59Del4ERESos2W TccjjszCnT+OVTdpLRkf7LIjS+bTUsnnICTdyXKWATIEeZOYah4AsNPEfFFAFs3G Ln+kJ/tMkAEaR7J3uZqRIn0YtZVJhRoKQrB8iV49ItK2TIih+EvUCQhgu/MSFTUd 9dPZwkJDLOzJnHF6YIFZoo8wIwgiszMBgMJQRZisJsgysd6jtJUAE4ye/wL9TRkk YPK4uuXnE486odfCu4gSeSrc2/Z+xIej6IwSaFcHbJR3u5rLKd1i/QzupciOFIJC PR68zb1PfGo=WmTT -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce