rhsa-2019_3933
Vulnerability from csaf_redhat
Published
2019-11-20 16:14
Modified
2024-12-15 18:55
Summary
Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 7
Notes
Topic
An update is now available for JBoss Core Services on RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737)
* openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)
* mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)
* openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)
* mod_session_cookie does not respect expiry time (CVE-2018-17199)
* mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)
* mod_http2: possible crash on late upgrade (CVE-2019-0197)
* mod_http2: read-after-free on a string compare (CVE-2019-0196)
* nghttp2: HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511)
* nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)
* mod_http2: HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516)
* mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for JBoss Core Services on RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering.\n\nThis release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737)\n* openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)\n* mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)\n* openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)\n* mod_session_cookie does not respect expiry time (CVE-2018-17199)\n* mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)\n* mod_http2: possible crash on late upgrade (CVE-2019-0197)\n* mod_http2: read-after-free on a string compare (CVE-2019-0196)\n* nghttp2: HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511)\n* nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)\n* mod_http2: HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516)\n* mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2019:3933", url: "https://access.redhat.com/errata/RHSA-2019:3933", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1568253", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1568253", }, { category: "external", summary: "1644364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1644364", }, { category: "external", summary: "1645695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1645695", }, { category: "external", summary: "1668493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1668493", }, { category: "external", summary: "1668497", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1668497", }, { category: "external", summary: "1695020", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1695020", }, { category: "external", summary: "1695030", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1695030", }, { category: "external", summary: "1695042", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1695042", }, { category: "external", summary: "1735741", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735741", }, { category: "external", summary: "1741860", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1741860", }, { category: "external", summary: "1741864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1741864", }, { category: "external", summary: "1741868", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1741868", }, { category: "external", summary: "JBCS-798", url: "https://issues.redhat.com/browse/JBCS-798", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_3933.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 7", tracking: { current_release_date: "2024-12-15T18:55:58+00:00", generator: { date: "2024-12-15T18:55:58+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2019:3933", initial_release_date: "2019-11-20T16:14:21+00:00", revision_history: [ { date: "2019-11-20T16:14:21+00:00", number: "1", summary: "Initial version", }, { date: "2020-01-06T13:04:40+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:55:58+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Core Services on RHEL 7 Server", product: { name: "Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_core_services:1::el7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Core Services", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", product_id: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-jansson@2.11-20.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", product_id: "jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-jansson-devel@2.11-20.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", product_id: "jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-jansson-debuginfo@2.11-20.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr@1.6.3-63.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-devel@1.6.3-63.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-debuginfo@1.6.3-63.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", product_id: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-openssl@1.1.1-25.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", product_id: "jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-openssl-devel@1.1.1-25.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", product_id: "jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-openssl-libs@1.1.1-25.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", product_id: "jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-openssl-perl@1.1.1-25.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", product_id: "jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-openssl-static@1.1.1-25.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", product_id: "jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-openssl-debuginfo@1.1.1-25.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-devel@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-ldap@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-mysql@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-nss@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-odbc@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-openssl@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-pgsql@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-sqlite@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util-debuginfo@1.6.1-48.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", product_id: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-brotli@1.0.6-7.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", product_id: "jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-brotli-devel@1.0.6-7.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", product_id: "jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-brotli-debuginfo@1.0.6-7.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", product_id: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-nghttp2@1.39.2-4.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", product_id: "jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-nghttp2-devel@1.39.2-4.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", product_id: "jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-nghttp2-debuginfo@1.39.2-4.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", product_id: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-curl@7.64.1-14.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", product_id: "jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-libcurl@7.64.1-14.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", product_id: "jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-libcurl-devel@7.64.1-14.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", product_id: "jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-curl-debuginfo@7.64.1-14.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-httpd@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-httpd-devel@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-httpd-selinux@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-httpd-tools@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_ldap@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_md@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_proxy_html@2.4.37-33.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_session@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_ssl@2.4.37-33.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", product_id: "jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-httpd-debuginfo@2.4.37-33.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_jk-ap24@1.2.46-22.redhat_1.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_jk-manual@1.2.46-22.redhat_1.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_jk-debuginfo@1.2.46-22.redhat_1.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_cluster-native@1.3.12-9.Final_redhat_2.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_cluster-native-debuginfo@1.3.12-9.Final_redhat_2.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_security@2.9.2-16.GA.jbcs.el7?arch=x86_64", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", product_id: "jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_security-debuginfo@2.9.2-16.GA.jbcs.el7?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", product: { name: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", product_id: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-jansson@2.11-20.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", product: { name: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", product_id: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr@1.6.3-63.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", product: { name: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", product_id: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-openssl@1.1.1-25.jbcs.el7?arch=src&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", product: { name: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", product_id: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apr-util@1.6.1-48.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", product: { name: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", product_id: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-brotli@1.0.6-7.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", product: { name: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", product_id: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-nghttp2@1.39.2-4.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", product: { name: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", product_id: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-curl@7.64.1-14.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", product: { name: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", product_id: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-httpd@2.4.37-33.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", product: { name: "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", product_id: "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_jk@1.2.46-22.redhat_1.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", product: { name: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", product_id: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_cluster-native@1.3.12-9.Final_redhat_2.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", product: { name: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", product_id: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-mod_security@2.9.2-16.GA.jbcs.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", product: { name: "jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", product_id: "jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-httpd-manual@2.4.37-33.jbcs.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", }, product_reference: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", }, product_reference: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", }, product_reference: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", }, product_reference: "jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", }, product_reference: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", }, product_reference: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", }, product_reference: "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", }, product_reference: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", }, product_reference: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", }, product_reference: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64 as a component of Red Hat JBoss Core Services on RHEL 7 Server", product_id: "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JBCS", }, ], }, vulnerabilities: [ { cve: "CVE-2018-0734", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2018-10-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1644364", }, ], notes: [ { category: "description", text: "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).", title: "Vulnerability description", }, { category: "summary", text: "openssl: timing side channel attack in the DSA signature algorithm", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-0734", }, { category: "external", summary: "RHBZ#1644364", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1644364", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-0734", url: "https://www.cve.org/CVERecord?id=CVE-2018-0734", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-0734", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-0734", }, ], release_date: "2018-10-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.1, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "openssl: timing side channel attack in the DSA signature algorithm", }, { cve: "CVE-2018-0737", cwe: { id: "CWE-385", name: "Covert Timing Channel", }, discovery_date: "2018-04-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1568253", }, ], notes: [ { category: "description", text: "OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.", title: "Vulnerability description", }, { category: "summary", text: "openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-0737", }, { category: "external", summary: "RHBZ#1568253", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1568253", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-0737", url: "https://www.cve.org/CVERecord?id=CVE-2018-0737", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-0737", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-0737", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2018/04/16/3", url: "http://www.openwall.com/lists/oss-security/2018/04/16/3", }, { category: "external", summary: "https://www.openssl.org/news/secadv/20180416.txt", url: "https://www.openssl.org/news/secadv/20180416.txt", }, ], release_date: "2018-04-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys", }, { acknowledgments: [ { names: [ "Alejandro Cabrera Aldaya", ], organization: "Universidad Tecnologica de la Habana CUJAE; Cuba", }, { names: [ "Billy Bob Brumley", "Cesar Pereida Garcia", "Sohaib ul Hassan", ], }, { names: [ "Nicola Tuveri", ], organization: "Tampere University of Technology; Finland", }, ], cve: "CVE-2018-5407", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2018-11-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1645695", }, ], notes: [ { category: "description", text: "A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.", title: "Vulnerability description", }, { category: "summary", text: "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", title: "Vulnerability summary", }, { category: "other", text: "This is a timing side-channel flaw on processors which implement SMT/Hyper-Threading architectures. It can result in leakage of secret data in applications such as OpenSSL that has secret dependent control flow at any granularity level. In order to exploit this flaw, the attacker needs to run a malicious process on the same core of the processor as the victim process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-5407", }, { category: "external", summary: "RHBZ#1645695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1645695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-5407", url: "https://www.cve.org/CVERecord?id=CVE-2018-5407", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-5407", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-5407", }, { category: "external", summary: "https://github.com/bbbrumley/portsmash", url: "https://github.com/bbbrumley/portsmash", }, { category: "external", summary: "https://www.openssl.org/news/secadv/20181112.txt", url: "https://www.openssl.org/news/secadv/20181112.txt", }, ], release_date: "2018-10-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, { category: "workaround", details: "At this time Red Hat Engineering is working on patches for openssl package in Red Hat Enterprise Linux 7 to address this issue. Until fixes are available, users are advised to review the guidance supplied in the L1 Terminal Fault vulnerability article: https://access.redhat.com/security/vulnerabilities/L1TF and decide what their exposure across shared CPU threads are and act accordingly.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "PHYSICAL", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)", }, { cve: "CVE-2018-17189", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-01-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1668497", }, ], notes: [ { category: "description", text: "In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.", title: "Vulnerability description", }, { category: "summary", text: "httpd: mod_http2: DoS via slow, unneeded request bodies", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-17189", }, { category: "external", summary: "RHBZ#1668497", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1668497", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-17189", url: "https://www.cve.org/CVERecord?id=CVE-2018-17189", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-17189", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-17189", }, ], release_date: "2019-01-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "httpd: mod_http2: DoS via slow, unneeded request bodies", }, { cve: "CVE-2018-17199", cwe: { id: "CWE-613", name: "Insufficient Session Expiration", }, discovery_date: "2019-01-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1668493", }, ], notes: [ { category: "description", text: "In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.", title: "Vulnerability description", }, { category: "summary", text: "httpd: mod_session_cookie does not respect expiry time", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2018-17199", }, { category: "external", summary: "RHBZ#1668493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1668493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2018-17199", url: "https://www.cve.org/CVERecord?id=CVE-2018-17199", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2018-17199", url: "https://nvd.nist.gov/vuln/detail/CVE-2018-17199", }, ], release_date: "2019-01-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "httpd: mod_session_cookie does not respect expiry time", }, { cve: "CVE-2019-0196", cwe: { id: "CWE-416", name: "Use After Free", }, discovery_date: "2019-04-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1695030", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.", title: "Vulnerability description", }, { category: "summary", text: "httpd: mod_http2: read-after-free on a string compare", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-0196", }, { category: "external", summary: "RHBZ#1695030", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1695030", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-0196", url: "https://www.cve.org/CVERecord?id=CVE-2019-0196", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-0196", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-0196", }, { category: "external", summary: "http://www.apache.org/dist/httpd/CHANGES_2.4", url: "http://www.apache.org/dist/httpd/CHANGES_2.4", }, { category: "external", summary: "https://httpd.apache.org/security/vulnerabilities_24.html", url: "https://httpd.apache.org/security/vulnerabilities_24.html", }, ], release_date: "2019-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "httpd: mod_http2: read-after-free on a string compare", }, { cve: "CVE-2019-0197", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2019-04-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1695042", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set \"H2Upgrade on\" are unaffected by this issue.", title: "Vulnerability description", }, { category: "summary", text: "httpd: mod_http2: possible crash on late upgrade", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-0197", }, { category: "external", summary: "RHBZ#1695042", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1695042", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-0197", url: "https://www.cve.org/CVERecord?id=CVE-2019-0197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-0197", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-0197", }, { category: "external", summary: "http://www.apache.org/dist/httpd/CHANGES_2.4", url: "http://www.apache.org/dist/httpd/CHANGES_2.4", }, { category: "external", summary: "https://httpd.apache.org/security/vulnerabilities_24.html", url: "https://httpd.apache.org/security/vulnerabilities_24.html", }, ], release_date: "2019-02-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "httpd: mod_http2: possible crash on late upgrade", }, { cve: "CVE-2019-0217", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2019-04-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1695020", }, ], notes: [ { category: "description", text: "A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.", title: "Vulnerability description", }, { category: "summary", text: "httpd: mod_auth_digest: access control bypass due to race condition", title: "Vulnerability summary", }, { category: "other", text: "Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-0217", }, { category: "external", summary: "RHBZ#1695020", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1695020", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-0217", url: "https://www.cve.org/CVERecord?id=CVE-2019-0217", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-0217", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-0217", }, { category: "external", summary: "http://www.apache.org/dist/httpd/CHANGES_2.4", url: "http://www.apache.org/dist/httpd/CHANGES_2.4", }, { category: "external", summary: "https://httpd.apache.org/security/vulnerabilities_24.html", url: "https://httpd.apache.org/security/vulnerabilities_24.html", }, ], release_date: "2019-04-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, { category: "workaround", details: "This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation. In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "httpd: mod_auth_digest: access control bypass due to race condition", }, { cve: "CVE-2019-9511", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1741860", }, ], notes: [ { category: "description", text: "A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: large amount of data requests leads to denial of service", title: "Vulnerability summary", }, { category: "other", text: "There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9511", }, { category: "external", summary: "RHBZ#1741860", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1741860", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9511", url: "https://www.cve.org/CVERecord?id=CVE-2019-9511", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9511", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://kb.cert.org/vuls/id/605641/", url: "https://kb.cert.org/vuls/id/605641/", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, { category: "external", summary: "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", url: "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", }, ], release_date: "2019-08-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, { category: "workaround", details: "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: large amount of data requests leads to denial of service", }, { acknowledgments: [ { names: [ "the Envoy security team", ], }, ], cve: "CVE-2019-9513", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1735741", }, ], notes: [ { category: "description", text: "A flaw was found in HTTP/2. An attacker, using PRIORITY frames to flood the system, could cause excessive CPU usage and starvation of other clients. The largest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: flood using PRIORITY frames results in excessive resource consumption", title: "Vulnerability summary", }, { category: "other", text: "This flaw has no available mitigation for packages nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9513", }, { category: "external", summary: "RHBZ#1735741", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735741", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9513", url: "https://www.cve.org/CVERecord?id=CVE-2019-9513", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9513", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9513", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/", url: "https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, { category: "external", summary: "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", url: "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", }, ], release_date: "2019-08-13T17:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, { category: "workaround", details: "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: flood using PRIORITY frames results in excessive resource consumption", }, { cve: "CVE-2019-9516", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1741864", }, ], notes: [ { category: "description", text: "A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: 0-length headers lead to denial of service", title: "Vulnerability summary", }, { category: "other", text: "This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9516", }, { category: "external", summary: "RHBZ#1741864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1741864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9516", url: "https://www.cve.org/CVERecord?id=CVE-2019-9516", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9516", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9516", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://github.com/nghttp2/nghttp2/issues/1382#", url: "https://github.com/nghttp2/nghttp2/issues/1382#", }, { category: "external", summary: "https://kb.cert.org/vuls/id/605641/", url: "https://kb.cert.org/vuls/id/605641/", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, { category: "external", summary: "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", url: "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/", }, ], release_date: "2019-08-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, { category: "workaround", details: "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf\n\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: 0-length headers lead to denial of service", }, { cve: "CVE-2019-9517", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1741868", }, ], notes: [ { category: "description", text: "A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server's queue is setup, the responses can consume excess memory, CPU, or both, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: request for large response leads to denial of service", title: "Vulnerability summary", }, { category: "other", text: "The package httpd versions as shipped with Red Hat Enterprise Linux 5, 6 and 7 are not affected by this issue as HTTP/2 support is not provided.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9517", }, { category: "external", summary: "RHBZ#1741868", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1741868", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9517", url: "https://www.cve.org/CVERecord?id=CVE-2019-9517", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9517", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9517", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://kb.cert.org/vuls/id/605641/", url: "https://kb.cert.org/vuls/id/605641/", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, ], release_date: "2019-08-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-11-20T16:14:21+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:3933", }, { category: "workaround", details: "The httpd version shipped with Red Hat Enterprise Linux 8 provides HTTP/2 support through mod_http2 package. While mod_http2 package is not updated, users can disable HTTP/2 support as mitigation action by executing the following steps:\n\n1. Stop httpd service:\n$ systemctl stop httpd\n\n2. Remove http/2 protocol support from configuration files:\n$ sed -i 's/\\(h2\\)\\|\\(h2c\\)//g' <httpd_config_file>\n\n3. Validate configuration files to make sure all syntax is valid:\n$ apachectl configtest\n\n4. Restart httpd service:\n$ systemctl start httpd", product_ids: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-debuginfo-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-devel-0:1.6.3-63.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-debuginfo-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-devel-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-ldap-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-mysql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-nss-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-odbc-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-openssl-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-pgsql-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-apr-util-sqlite-0:1.6.1-48.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-debuginfo-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-brotli-devel-0:1.0.6-7.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-curl-debuginfo-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-debuginfo-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-devel-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-manual-0:2.4.37-33.jbcs.el7.noarch", "7Server-JBCS:jbcs-httpd24-httpd-selinux-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-httpd-tools-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-jansson-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-debuginfo-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-jansson-devel-0:2.11-20.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-libcurl-devel-0:7.64.1-14.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-9.Final_redhat_2.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_jk-ap24-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_jk-manual-0:1.2.46-22.redhat_1.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ldap-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_md-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_proxy_html-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_security-debuginfo-0:2.9.2-16.GA.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_session-0:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-mod_ssl-1:2.4.37-33.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-debuginfo-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-nghttp2-devel-0:1.39.2-4.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.src", "7Server-JBCS:jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-debuginfo-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-devel-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-libs-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-perl-1:1.1.1-25.jbcs.el7.x86_64", "7Server-JBCS:jbcs-httpd24-openssl-static-1:1.1.1-25.jbcs.el7.x86_64", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: request for large response leads to denial of service", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.