-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.6 security update Advisory ID: RHSA-2021:0873-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:0873 Issue date: 2021-03-16 CVE Names: CVE-2020-8908 CVE-2020-10687 CVE-2020-28052 CVE-2020-35510 CVE-2021-20220 CVE-2021-20250 ===================================================================== 1. Summary: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for RHEL 7 Server - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.5, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.6 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client (CVE-2020-35510) * bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible (CVE-2020-28052) * wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687 (CVE-2021-20220) * jboss-ejb-client: wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client (CVE-2021-20250) * guava: local information disclosure via temporary directory created with unsafe permissions (CVE-2020-8908) 4. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client 1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions 1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible 1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687 1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-20336 - (7.3.z) Upgrade Bouncy Castle from 1.65.0.redhat-00001 to 1.68.0.redhat-00001 JBEAP-20628 - [GSS] (7.3.z) Upgrade undertow from 2.0.33.SP2-redhat-00001 to 2.0.34.SP1-redhat-00001 JBEAP-20672 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00017 to 2.9.0.redhat-00019 JBEAP-20694 - (7.3.z) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20695 - (7.3.z) (WF-Core) Upgrade WildFly Galleon Plugins from 4.2.8.Final to 4.2.10.Final JBEAP-20716 - Tracker bug for the EAP 7.3.6 release for RHEL-7 JBEAP-20762 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.37.Final-redhat-00001 to 4.0.39.SP1-redhat-00001 JBEAP-20791 - (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001 JBEAP-20795 - [GSS](7.3.z) Upgrade HAL from 3.2.12.Final-redhat-00001 to 3.2.13.Final-redhat-00001 JBEAP-20802 - (7.3.z) Upgrade Narayana from 5.9.10.Final-redhat-00001 to 5.9.11.Final-redhat-00001 JBEAP-20805 - (7.3.z) Upgrade guava from 25.0.redhat-1 to 30.1.0.redhat-00001 JBEAP-20815 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.20.Final-redhat-00001 to 5.0.20.SP1-redhat-00001 JBEAP-20816 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.24.Final-redhat-00001 to 1.0.25.Final-redhat-00001 JBEAP-20883 - [GSS](7.3.z) Upgrade wildfly-naming-client from 1.0.13.Final-redhat-00001 to 1.0.14.Final-redhat-00001 JBEAP-20887 - (7.3.z) Upgrade IronJacamar from 1.4.22.Final-redhat-00001 to 1.4.27.Final-redhat-00001 JBEAP-20908 - (7.3.z)(wf-core) Upgrade guava from 20.0 to 30.1.0.redhat-00001 JBEAP-20918 - (7.3.z) Upgrade jboss-logmanager from 2.1.17.Final-redhat-00001 to 2.1.18.Final-redhat-00001 JBEAP-20941 - (7.3.z)(wf-core) Upgrade Bouncy Castle from 1.65 to 1.68 7. Package List: Red Hat JBoss EAP 7.3 for RHEL 7 Server: Source: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el7eap.src.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el7eap.src.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el7eap.src.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el7eap.src.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el7eap.src.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el7eap.src.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el7eap.src.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-http-client-1.0.25-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el7eap.src.rpm noarch: eap7-activemq-artemis-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.9.0-9.redhat_00019.1.el7eap.noarch.rpm eap7-bouncycastle-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-mail-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-pkix-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-bouncycastle-prov-1.68.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-guava-30.1.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-guava-failureaccess-1.0.1-1.redhat_00002.1.el7eap.noarch.rpm eap7-guava-libraries-30.1.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-hal-console-3.2.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-api-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-api-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-validator-1.4.27-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-ejb-client-4.0.39-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-logmanager-2.1.18-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-remoting-5.0.20-2.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.2-5.Final_redhat_00006.1.el7eap.noarch.rpm eap7-narayana-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-compensations-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbossxts-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-idlj-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-integration-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-api-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-bridge-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-integration-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-util-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-txframework-5.9.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-2.0.34-1.SP1_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.10.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.11-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.25-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-modules-7.3.6-1.GA_redhat_00002.1.el7eap.noarch.rpm eap7-wildfly-naming-client-1.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-35510 https://access.redhat.com/security/cve/CVE-2021-20220 https://access.redhat.com/security/cve/CVE-2021-20250 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYFC6PNzjgjWX9erEAQhwXw/+IcftYvV0k1bn5cPiB200OQaDYIqoqaf7 10hvauMXgYTx6CqYHVhBfJ9GGp0u+3RyhQroGQ0KX4/98D2SDcMduCMI+2MrMXlP Lh0/9BSfpeMha0ofuTeBr1Ut/YUthuC7hb6bmHmIu7WgVbllg5JdoSvczz8ssnMs h8JIlBh+3iLHAvE2HVEHiwEVTpuNpw7hJWnIOAyVZrInpWWKTtDs9DVodcopIOY1 tug3wDP7eVAFB5HY8eEjg8IzWXyDAD2/jH/KdlycbWUaddCQ1MHEfkpCoBqt3UPa TsIMyOiUx2dlF1vX62W3rJsGS4YMVWPpcgOqY6nFCpQngjZg2FN1lvwpeVlbUWH6 JCKTpyIOxUJnyQ0WC6CCn/K21trGj7VpeO5uyYBs9e1oel2ZvJjFdk+5Xu4SpO/u QucA/sz2yzMmGGMvQFnVyfLHZsb9yWh7ZXawmaGk4Pjl1UKkpgw+xqUbjf/x0oWi pjC+00IqXC+Sbq1ymcV+tBWMeBVYzoCY2ZMGQ7EV45EXniWM28M2+DJspp50c5HP QlYBHjdZxgvvKmrZHXOqqLNweVsOm/2vQVW097WTGH4LTDf3fTgWF6EuYuZu1cV1 hToZXAiaXQCP8F5ul44VWAw7ANraKzs1/gNWTCZvJFxX2m4AxrtBF+FRQ5lecpg6 OzFY6V140vk= =Q4ys -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce