-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 5.3.1 security update Advisory ID: RHSA-2020:2509-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2020:2509 Issue date: 2020-06-10 CVE Names: CVE-2020-9484 ==================================================================== 1. Summary: Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es): * tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 5. References: https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=5.3 https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuETO9zjgjWX9erEAQjXxg//QS+8bTXNkhjQugj+b4Ak8DCjm0JrrGrg fT+rPvu79dzjeooLZ18fnoPBZQ2xowu7gjIev8PlTlQNlj76CzzjRGvv77MlUy3G JAw+gh/kYDUV8bX6Whs5fvj+9LOwcrs6lB3WeYVfFjj2na2Nr7mkKoL/mvzJMToH jcZ7W7cnLECcWhtC+JIRT1mwpe1lXOkiWlfn6df+VBX6R0PiFdmz4ieyHWqV3Ryd bdT+IMe1ubmHRpYnolx/4kHUbr84CNx+AwEcX9OI6jfzFMOKtEaOHcAPO83ZR7Pt p5IcEdD1drwGjzhaER/bMR56+faFXPA31oZ4UMpXdDp6BhNzEh/3bV1VqaOgxd8o MUuZhqTTPJgPnlWJ1jolv0ccKvcl6Nia7FPjyfYqBjo9YFIcXhGRlrOICu7ivn4X qp86C9tejiNuq4C0jMODwvU4dfRLrKHRXZ9ZwnvJB+Og98CBS5RezmJXuauIBKT7 FJDqXtHOSMiLVOboXZnbhKj9KWHp37iAMSl+N/xuXLxJ/OD+LbBavTlCG/hXNnoJ lyK10HaqJjO+59zJMLaGuOT2Bt4YmxH+GxZSR1u+yiXWuSXYJO9meOYeO9EpuqGU 7yeG/ZkSyi2iLI5wK0u6XNLradiCq1fPkvUUtXBNi8qjNxfYAxFjYUWRZAoRXlfL 9wyJATiOAwc=Qw56 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce