-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Thorntail 2.7.2 security and bug fix update Advisory ID: RHSA-2020:5361-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:5361 Issue date: 2020-12-16 CVE Names: CVE-2020-14299 CVE-2020-14338 CVE-2020-14340 CVE-2020-25638 CVE-2020-25649 ==================================================================== 1. Summary: An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Thorntail 2.7.2 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * picketbox: JBoss EAP reload to admin-only mode allows authentication bypass (CVE-2020-14299) * xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS (CVE-2020-14340) * wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl (CVE-2020-14338) * hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638) * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1848533 - CVE-2020-14299 picketbox: JBoss EAP reload to admin-only mode allows authentication bypass 1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl 1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS 1881353 - CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) 5. References: https://access.redhat.com/security/cve/CVE-2020-14299 https://access.redhat.com/security/cve/CVE-2020-14338 https://access.redhat.com/security/cve/CVE-2020-14340 https://access.redhat.com/security/cve/CVE-2020-25638 https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.thorntail&version=2.7.2 https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/release_notes_for_thorntail_2.7/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9m1btzjgjWX9erEAQhymw/9GVJAqvDxXMVLGHLycRkvz1TnlJ3SHVkV pKhYPMmvtYhqoEImQw/0+TRSdrMuhQ03S3rrYjD++Y/i/miBmhsMrM3LN2f42EN/ 6HAhBaN9DY4OsX2wVp5ZqrSDeI/YTueg2J5udOgdmtnwM7RmlWAqYYbuB7VFC4kA CL92g6fgsY3zhOyiHmWQRtptzgSVW2uzfiV1TGGTK2nlu53gh5X+D/sAZElv8UhZ pISFuShVc8BVC9xOGKdwW8EMIn+zJaK6lHDdB2JtGoHqUiAS1dDghcfKYBx0CeO/ V2GSu3cYnciKqEhkCZo5pYhvhw2OH5DSigRPcDCqvyJ8yD2i4qcaiqV+XPT0W9FS DF4P4DhQAir9JDgbFt7bU1pgzRPZSsZzDCdmJ5VVJRmT+L7NezjaVJV7gh3ifwVJ YXh5bwo45t5oIohZ8fEPIhtu6/mf9gDT5CUNUqj97mQ0XwTcwxyYNFb0EITWLws/ Nm84KrxPliKkmW8mfK9Zfps2L79UK/VRIInfgbQJgv3qEuVJnbzkiaZq6UE7Adct 7Rjsqb2saIDQzI1+zRV+UqCvy6V+4CYExhtNZfLiYkf7IFqFrptUpBzRIs7Qm77A s3bPjhfwWPJ8XDlp2Hgrao/Al5oulpqQVEIgXTffgpnkVM4K4KEbPtwIggZJ1YHW 0mkEgkalde0=tnio -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce