-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Thorntail 2.7.1 security and bug fix update Advisory ID: RHSA-2020:3539-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:3539 Issue date: 2020-09-02 CVE Names: CVE-2020-1710 CVE-2020-1728 CVE-2020-1748 CVE-2020-10693 CVE-2020-10714 CVE-2020-10718 CVE-2020-10740 CVE-2020-10758 CVE-2020-14297 CVE-2020-14307 ==================================================================== 1. Summary: An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Thorntail 2.7.1 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710) * Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748) * keycloak: security headers missing on REST endpoints (CVE-2020-1728) * wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) * hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693) * wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718) * wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) * wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service (CVE-2020-14307) * keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body (CVE-2020-10758) * wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230 1800585 - CVE-2020-1728 keycloak: security headers missing on REST endpoints 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain 1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication 1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API 1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans 1843849 - CVE-2020-10758 keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body 1851327 - CVE-2020-14307 wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service 1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service 5. References: https://access.redhat.com/security/cve/CVE-2020-1710 https://access.redhat.com/security/cve/CVE-2020-1728 https://access.redhat.com/security/cve/CVE-2020-1748 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10718 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-10758 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/cve/CVE-2020-14307 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.thorntail&version=2.7.1 https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/release_notes_for_thorntail_2.7/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX09qYtzjgjWX9erEAQgbFg/+OeMlv2yO3eadphDh621Ct3ETCoVubJyt zGltirtZItgiBaEPOI0jd19JxHIAtsGZzPHv0X8BfKe8PbPWCkBxxKGo/fDKmuOw 6orop2EJxTLe+HcaUK2JfvRtMHnNDiMky9EUJS0JkVqaNCLPiHcEBg1aKDPwm0rm hSH7LrCiXAOHLHhJFeLEtBpVaxtbrKT8X7ShlLpnhEWzYcR5sLT6FiZoYIH+0NOj yoAr8kAWxp4z5NaAxnX4D8xfHdjLK4YBUCjF7EmFPEqEblJ65j7R2FQcK5fDXgx7 56xj1PpvOgS8M66DhfT8ltSr6hFod27q8Xm4MOijcHtWWJKPwg+6fQOhtHfprb+2 Oo51/FQjCt7NBsmRl3yec+pg2YMS6jbpZ1EeWTDvC0j1sZCZrUGV+8MY2n4SbJy+ 94di/iO8j1reYKKw37p+XxJSCh/AM2n0Ah/Ekam+ptrHFx+6JRZcLmiT2gy2jA0Z ODijwB/T1KoZoo+YBGpPnGXvt2ZnlRX+yYa2QanC1befJf5koUl5vboXhUQJ97Al H46NI8nIer/wOnfuG42m+o0VMXmy9ikiEY4VJhfS9N5qmLKL+xGdx1K4ul+uBIVt tBzawCPXS2QKI5lcqZxJG+adTpnJKF5Pblt2xv5ZV1mHZipSgaxlRgp5JDxbvzkN A/PCzYEL428=pd0S -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce