-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: EAP Continuous Delivery Technical Preview Release 19 security update Advisory ID: RHSA-2020:2333-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2333 Issue date: 2020-05-28 CVE Names: CVE-2019-0205 CVE-2019-0210 CVE-2019-10086 CVE-2019-10174 CVE-2019-12419 CVE-2019-12423 CVE-2019-14540 CVE-2019-14887 CVE-2019-14888 CVE-2019-14892 CVE-2019-14893 CVE-2019-16335 CVE-2019-16869 CVE-2019-16942 CVE-2019-16943 CVE-2019-17267 CVE-2019-17531 CVE-2019-17573 CVE-2019-20330 CVE-2019-20444 CVE-2019-20445 CVE-2020-1695 CVE-2020-1732 CVE-2020-1745 CVE-2020-7238 CVE-2020-9547 CVE-2020-10672 CVE-2020-10688 CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 ==================================================================== 1. Summary: This is a security update for JBoss EAP Continuous Delivery 19. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Enterprise Application Platform CD19 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform CD19 includes bug fixes and enhancements. Security Fix(es): * apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174) * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) * netty: HTTP request smuggling (CVE-2019-20444) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968) * jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969) * jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111) * jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112) * jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113) * thrift: Endless loop when feed with specific input data (CVE-2019-0205) * thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419) * cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) * jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) * jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) * jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942) * jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) * jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267) * jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531) * cxf: reflected XSS in the services listing page (CVE-2019-17573) * jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330) * resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) * jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672) * RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688) * Soteria: security identity corruption across concurrent threads (CVE-2020-1732) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. You must restart the JBoss server process for the update to take effect. The References section of this erratum contains a download link (you must log in to download the update) 4. Bugs fixed (https://bugzilla.redhat.com/): 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1755831 - CVE-2019-16335 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource 1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig 1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package 1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package 1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package 1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* 1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource 1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS 1775293 - CVE-2019-17531 jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* 1793154 - CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header 1798524 - CVE-2019-20444 netty: HTTP request smuggling 1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack 1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1816175 - CVE-2019-12419 cxf: OpenId Connect token service does not properly validate the clientId 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1819208 - CVE-2020-10968 jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider 1819212 - CVE-2020-10969 jackson-databind: Serialization gadgets in javax.swing.JEditorPane 1821304 - CVE-2020-11111 jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory 1821311 - CVE-2020-11112 jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider 1821315 - CVE-2020-11113 jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime 5. JIRA issues fixed (https://issues.jboss.org/): JBEAP-18881 - Upgrade Undertow to 2.0.30.SP1 JBEAP-18974 - Upgrade snakeyaml to 1.26 JBEAP-18975 - Upgrade cryptacular to 1.2.4 JBEAP-18982 - Upgrade WildFly Core to 11.0.0.Final-redhat-00001 JBEAP-18983 - Upgrade Remoting JMX from 3.0.3 to 3.0.4 JBEAP-19041 - Upgrade WildFly Elytron to 1.11.3.Final JBEAP-19042 - Upgrade wildfly-core to 11.0.2.Final JBEAP-19076 - Upgrade resteasy from 3.11.0.Final to 3.11.1.Final JBEAP-19211 - Empty section Fixed CVEs in CD19 Release Notes 6. References: https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-10174 https://access.redhat.com/security/cve/CVE-2019-12419 https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-14540 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-14888 https://access.redhat.com/security/cve/CVE-2019-14892 https://access.redhat.com/security/cve/CVE-2019-14893 https://access.redhat.com/security/cve/CVE-2019-16335 https://access.redhat.com/security/cve/CVE-2019-16869 https://access.redhat.com/security/cve/CVE-2019-16942 https://access.redhat.com/security/cve/CVE-2019-16943 https://access.redhat.com/security/cve/CVE-2019-17267 https://access.redhat.com/security/cve/CVE-2019-17531 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2019-20330 https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1732 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/cve/CVE-2020-9547 https://access.redhat.com/security/cve/CVE-2020-10672 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10968 https://access.redhat.com/security/cve/CVE-2020-10969 https://access.redhat.com/security/cve/CVE-2020-11111 https://access.redhat.com/security/cve/CVE-2020-11112 https://access.redhat.com/security/cve/CVE-2020-11113 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?productêp-cd&downloadType=securityPatches&version https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform_continuous_delivery/19/ 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXs/fx9zjgjWX9erEAQjTuBAApBdLRTQ3SYGNv8RYAOflVg+Uac4M1OPd h/4aG2145ufYRVxofleuoxcclJtiCV1g47/7uXYdecfvnWwu3+yvf9f8BFW7fQ20 GmJEPf4vtb5GrNn/JyAPOKoo52iF344y2qtNJA6+TJ6Ve6jeDZlq6UZSNPyUBxn9 GuwPdU9cbpCBvF42Eg9/z5DjtbNyiwI6rSzT4u8z09JslNiO6C6F6E3pKMwBzdaK OcPwITgPltIqwdn6mVh/qZ0z7xnJDmPQLtFtpRdXfDrAUhatqu7lSYsHfTvi+xDr AIJR2ns1m5I5k01C3doLznzYEy6VqO02WaeoXzvpdz3nlWmDUxLQ38eMxuoV7pwI 07poARDHzMV6glePhKcr+NZfZIiVDkdKnMP2+Mno9jwlt2lHy8HF3ljK5e+BSyqB mthSAByCGIaEVvsgLKEHUvmFuW8CCw8R04UaaJ62y7Vq3TWdomxdlmEgHgcwxVtK nHKXJZeMjTrEBTdqWynrCWF1gdATVBjyF5jHd/4S3uC+QEnvITDuY0RT17cJFvbl /M6Ij1tRDuZtbTx+Xj2vFWIfevgSFpjTAbq8e3hcT+gkapx5QA4bwcGGAkliX9oU IIb22JMwEBK1tmY0wkgU+z4pSQPL1YorQKXXKV8TKtGashNRbxY2l167Xn+sPJR6 lzZ7y4dwst8=nLxn -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce