-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Thorntail 2.7.0 security and bug fix update Advisory ID: RHSA-2020:2905-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2905 Issue date: 2020-07-23 CVE Names: CVE-2019-12423 CVE-2019-17573 CVE-2020-1695 CVE-2020-1697 CVE-2020-1698 CVE-2020-1714 CVE-2020-1718 CVE-2020-1719 CVE-2020-1724 CVE-2020-1727 CVE-2020-1732 CVE-2020-1744 CVE-2020-1745 CVE-2020-1757 CVE-2020-6950 CVE-2020-10688 CVE-2020-10705 CVE-2020-10719 ==================================================================== 1. Summary: An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Thorntail 2.7.0 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) * cxf: reflected XSS in the services listing page (CVE-2019-17573) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) * Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) * resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) * undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) * keycloak: stored XSS in client settings via application links (CVE-2020-1697) * keycloak: problem with privacy after user logout (CVE-2020-1724) * keycloak: Password leak by logged exception in HttpMethod class (CVE-2020-1698) * cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) * Soteria: security identity corruption across concurrent threads (CVE-2020-1732) * keycloak: missing input validation in IDP authorization URLs (CVE-2020-1727) * keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744) * keycloak: security issue on reset credential flow (CVE-2020-1718) * keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714) * RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688) * undertow: invalid HTTP request with large chunk size (CVE-2020-10719) * undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100- continue" header (CVE-2020-10705) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass 1790292 - CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class 1791538 - CVE-2020-1697 keycloak: stored XSS in client settings via application links 1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1800573 - CVE-2020-1727 keycloak: missing input validation in IDP authorization URLs 1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads 1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 5. References: https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1697 https://access.redhat.com/security/cve/CVE-2020-1698 https://access.redhat.com/security/cve/CVE-2020-1714 https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1727 https://access.redhat.com/security/cve/CVE-2020-1732 https://access.redhat.com/security/cve/CVE-2020-1744 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10705 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.thorntail&version=2.7.0 https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/release_notes_for_thorntail_2.7/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXxk2rdzjgjWX9erEAQjSbQ//e0FG83JQFpQV7HUEsjPMB7+tT0UgoTXQ KnfasEPEP7wnPU07lZiVW94sxhUC/hAhce1KWIR3nT3uesMO4S+7o2vmgOwax1G7 yYsG1SRX4KK5Ma7Qvyx8lM+6TN0MNNrXGvFsqcYF1pJBL/1tfZfb/ciiqjrsR0Tp v20FKuNrNmn4IPRzN04AZafOG9tXQ8XMqkJaWxh8s4dupvElG4ywmYletwYLYMxS 5X+SVmQ9TtGSgJF6HUGoL0wsTbMtdlJPRrchhbjzAi00ZY5hElVa+MOzdyCFYygv ev0iz9m0foF1bXfbJTfpzbOnz/f3uJUTKCzz+mLf3voeqbvXnzUNn74MXZQynR8G LNFVpLo0U/d0wULkSSdFjqer+IxeUWRwcl2km1U42f+0BiCb4K3uHIjhkfAdRFFQ 7K8Nl/2GfJnLywD8693xSKi/6MeCHC2HhrYb9A89lXoebX/3WXkNUC4ReGL80+fg 3z7793xt6QzV9V+WOH8NbQS4SzpAOkusHMew7sQpLxU8r9uaF1KibshjUGq/rZlA YswTjYHqNLja7kx8GDejpO/RAhMq6asm38YtFzY+Qtipe8xcAxSrTiO6FLN+Xv0M YlvsaeWblymoLwbQ5ON59VoFFe1YgzIQP0CJEbWbnJl0UHdIldAbv22e4Trnw58t ZwsJot3fnjU=2k8f -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce