-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3 security update Advisory ID: RHSA-2020:0961-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:0961 Issue date: 2020-03-24 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-14887 CVE-2020-1745 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. Security Fix(es): * The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). You must restart the JBoss server process for the update to take effect. 4. Bugs fixed (https://bugzilla.redhat.com/): 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 5. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXnnrgNzjgjWX9erEAQgg8w/+ORcAoBTRHPbiIvRbhhCHZbpF3LfSq94X nzuJM8BoE2Q60pzNsZ3Vb2/ns+IZJz2gnLGA9FYKpYM8SJfZEqsQT9IRzuzb77nF I3RqJKlxn1vxtuw+vNh9wiOw0D0xSetXaz7iICEKrGRtCQSnyAECLbpGHzgZ+zTM TFPjV81tYtrf1Osh60QsPzYp66D8CvApYyXOfAdxLXCspF+iBL6+1p0To0fskp8H BnGpiKgANlqBn8Thi0xnC+ogPVG83jNkCkuoh9tJY5OZmkXlkGujY+guEF3Zuizj fg2VV7AmJPWQPSMzn5Qu0Vm0uSNYZ+xdVJ6sqVWePVpOst4iavvMxqYP5jqPo/WS /5F0Wn5zjCzxuC4ODMuanxEvXsvBoQJMOq1YiVB590oNeaWsYiI2FvxdPLW4q/8T dnvagoZDjlWX+3HwTz6dx+WiQ0I/jgNomfB91Exd6wjniyTgwtFipIC06JcxZg5u n66UmR0qnXqhWB7ho6W4+FpsJamqRAQHbYX450s6USu9oyVTFXQXa7JEA97+DBC6 M9y8RWVhc7dAj9D3EVebwcXlVaTUWC99/ovxe19qKZIUVNsindG0tWAgGy7gu9xC zM39nafy7XLU4T9HBrxyxpUFlw3OMd1zKQGd5nnJ7VjcybVvV3LAi07XnzdpM+ND ANlsz/b+zeg=xKZW -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce