rhsa-2020_0811
Vulnerability from csaf_redhat
Published
2020-03-12 17:00
Modified
2024-11-15 09:31
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.2.7 security update

Notes

Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * netty: HTTP request smuggling (CVE-2019-20444) * netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.2.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat JBoss Enterprise Application Platform 7.2.7 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.6, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.7 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)\n\n* libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)\n\n* xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400)\n\n* wildfly: The \u0027enabled-protocols\u0027 value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)\n\n* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)\n\n* netty: HTTP request smuggling (CVE-2019-20444)\n\n* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:0811",
        "url": "https://access.redhat.com/errata/RHSA-2020:0811"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=7.2",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=7.2"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/"
      },
      {
        "category": "external",
        "summary": "1764607",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1764607"
      },
      {
        "category": "external",
        "summary": "1764612",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1764612"
      },
      {
        "category": "external",
        "summary": "1764658",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1764658"
      },
      {
        "category": "external",
        "summary": "1767483",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483"
      },
      {
        "category": "external",
        "summary": "1772008",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772008"
      },
      {
        "category": "external",
        "summary": "1796225",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796225"
      },
      {
        "category": "external",
        "summary": "1798509",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509"
      },
      {
        "category": "external",
        "summary": "1798524",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524"
      },
      {
        "category": "external",
        "summary": "JBEAP-16051",
        "url": "https://issues.redhat.com/browse/JBEAP-16051"
      },
      {
        "category": "external",
        "summary": "JBEAP-17386",
        "url": "https://issues.redhat.com/browse/JBEAP-17386"
      },
      {
        "category": "external",
        "summary": "JBEAP-17683",
        "url": "https://issues.redhat.com/browse/JBEAP-17683"
      },
      {
        "category": "external",
        "summary": "JBEAP-17963",
        "url": "https://issues.redhat.com/browse/JBEAP-17963"
      },
      {
        "category": "external",
        "summary": "JBEAP-18008",
        "url": "https://issues.redhat.com/browse/JBEAP-18008"
      },
      {
        "category": "external",
        "summary": "JBEAP-18160",
        "url": "https://issues.redhat.com/browse/JBEAP-18160"
      },
      {
        "category": "external",
        "summary": "JBEAP-18164",
        "url": "https://issues.redhat.com/browse/JBEAP-18164"
      },
      {
        "category": "external",
        "summary": "JBEAP-18220",
        "url": "https://issues.redhat.com/browse/JBEAP-18220"
      },
      {
        "category": "external",
        "summary": "JBEAP-18274",
        "url": "https://issues.redhat.com/browse/JBEAP-18274"
      },
      {
        "category": "external",
        "summary": "JBEAP-18284",
        "url": "https://issues.redhat.com/browse/JBEAP-18284"
      },
      {
        "category": "external",
        "summary": "JBEAP-18292",
        "url": "https://issues.redhat.com/browse/JBEAP-18292"
      },
      {
        "category": "external",
        "summary": "JBEAP-18318",
        "url": "https://issues.redhat.com/browse/JBEAP-18318"
      },
      {
        "category": "external",
        "summary": "JBEAP-18327",
        "url": "https://issues.redhat.com/browse/JBEAP-18327"
      },
      {
        "category": "external",
        "summary": "JBEAP-18404",
        "url": "https://issues.redhat.com/browse/JBEAP-18404"
      },
      {
        "category": "external",
        "summary": "JBEAP-18437",
        "url": "https://issues.redhat.com/browse/JBEAP-18437"
      },
      {
        "category": "external",
        "summary": "JBEAP-18504",
        "url": "https://issues.redhat.com/browse/JBEAP-18504"
      },
      {
        "category": "external",
        "summary": "JBEAP-18699",
        "url": "https://issues.redhat.com/browse/JBEAP-18699"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_0811.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.2.7 security update",
    "tracking": {
      "current_release_date": "2024-11-15T09:31:53+00:00",
      "generator": {
        "date": "2024-11-15T09:31:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2020:0811",
      "initial_release_date": "2020-03-12T17:00:20+00:00",
      "revision_history": [
        {
          "date": "2020-03-12T17:00:20+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-03-12T17:00:20+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T09:31:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 7.2",
                "product": {
                  "name": "Red Hat JBoss EAP 7.2",
                  "product_id": "Red Hat JBoss EAP 7.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-0205",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2019-10-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1764612"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thrift: Endless loop when feed with specific input data",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains a vulnerable version of libthrift. However, OpenDaylight does not expose libthrift in a vulnerable way, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe thrift package in OpenShift Container Platform is installed only in Curator images in the Logging stack. The affected code is included in this package, it\u0027s functionality is not used. This vulnerability is therefore rated Low for OpenShift Container Platform.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-0205"
        },
        {
          "category": "external",
          "summary": "RHBZ#1764612",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1764612"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-0205",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-0205"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-0205",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0205"
        }
      ],
      "release_date": "2019-10-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "thrift: Endless loop when feed with specific input data"
    },
    {
      "cve": "CVE-2019-0210",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "discovery_date": "2019-10-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1764607"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform ships OpenDaylight, which contains a vulnerable version of libthrift. However, OpenDaylight is not affected as this is a Golang specific problem, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nThe version of thrift delivered in OpenShift Container Platform is not affected by this vulnerability as it does not contain the affected code.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-0210"
        },
        {
          "category": "external",
          "summary": "RHBZ#1764607",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1764607"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-0210",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-0210"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-0210",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0210"
        }
      ],
      "release_date": "2019-10-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol"
    },
    {
      "cve": "CVE-2019-10086",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2019-10-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1767483"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Apache Commons BeanUtils, where the class property in PropertyUtilsBean is not suppressed by default. This flaw allows an attacker to access the classloader.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-10086"
        },
        {
          "category": "external",
          "summary": "RHBZ#1767483",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1767483"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-10086",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-10086"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086"
        },
        {
          "category": "external",
          "summary": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt",
          "url": "https://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt"
        }
      ],
      "release_date": "2019-08-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        },
        {
          "category": "workaround",
          "details": "There is no currently known mitigation for this flaw.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default"
    },
    {
      "cve": "CVE-2019-12400",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2019-08-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1764658"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-12400"
        },
        {
          "category": "external",
          "summary": "RHBZ#1764658",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1764658"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-12400",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-12400"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-12400",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12400"
        }
      ],
      "release_date": "2019-08-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source"
    },
    {
      "cve": "CVE-2019-14887",
      "cwe": {
        "id": "CWE-757",
        "name": "Selection of Less-Secure Algorithm During Negotiation (\u0027Algorithm Downgrade\u0027)"
      },
      "discovery_date": "2019-11-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1772008"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found when an OpenSSL security provider is used with Wildfly, the \u0027enabled-protocols\u0027 value in the Wildfly configuration isn\u0027t honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption.  This could lead to a leak of the data being passed over the network.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "wildfly: The \u0027enabled-protocols\u0027 value in legacy security is not respected if OpenSSL security provider is in use",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-14887"
        },
        {
          "category": "external",
          "summary": "RHBZ#1772008",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772008"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14887",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-14887"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14887",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14887"
        }
      ],
      "release_date": "2020-03-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        },
        {
          "category": "workaround",
          "details": "Avoid using an OpenSSL security provider and instead use the default configuration or regular JSSE provider with \u0027TLS\u0027.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "wildfly: The \u0027enabled-protocols\u0027 value in legacy security is not respected if OpenSSL security provider is in use"
    },
    {
      "cve": "CVE-2019-20444",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-30T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1798524"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A HTTP smuggling flaw was found in HttpObjectDecoder.java in Netty in versions prior to version 4.1.44. HTTP headers with an invalid fold, in this case CRLF (carriage return, line feed) without being followed by SP (space) or HTAB (horizontal tab), result in situations where headers can be misread. Data integrity is the highest threat with this vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP request smuggling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not pose a substantial practical threat to ElasticSearch 6. We agree that these issues would be difficult to exploit on OpenShift Container Platform so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "RHBZ#1798524",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798524"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20444",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444"
        },
        {
          "category": "external",
          "summary": "https://github.com/elastic/elasticsearch/issues/49396",
          "url": "https://github.com/elastic/elasticsearch/issues/49396"
        }
      ],
      "release_date": "2020-01-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP request smuggling"
    },
    {
      "cve": "CVE-2019-20445",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1798509"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty before version 4.1.44, where it accepted multiple Content-Length headers and also accepted both Transfer-Encoding, as well as Content-Length headers where it should reject the message under such circumstances. In circumstances where Netty is used in the context of a server, it could result in a viable HTTP smuggling vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships a vulnerable version of netty embedded in Candlepin. However, the flaw can not be triggered in that context, because HTTP requests are handled by Tomcat, not by netty. A future release may fix this.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-20445"
        },
        {
          "category": "external",
          "summary": "RHBZ#1798509",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798509"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-20445",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-20445"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445"
        }
      ],
      "release_date": "2020-01-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header"
    },
    {
      "cve": "CVE-2020-7238",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "discovery_date": "2020-01-27T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1796225"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty, where it mishandles Transfer-Encoding whitespace. This flaw allows HTTP Request Smuggling.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "OpenShift Container Platform ships a vulnerable netty library as part of the logging-elasticsearch5 container. ElasticSearch\u0027s security team has stated that the previous vulnerability, CVE-2019-16869, does not poses a substantial practical threat to ElasticSearch 6 [1]. We agree that this issue would be difficult to exploit both these vulnerabilities on OpenShift Container Platform, so we\u0027re reducing the impact of this issue to moderate and may fix it in the future release.\n\nRed Hat Satellite ships vulnerable netty version embedded in Candlepin, however, is not directly vulnerable since HTTP requests are handled by Tomcat and not netty.\n\n[1]  https://github.com/elastic/elasticsearch/issues/49396",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss EAP 7.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "RHBZ#1796225",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796225"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-7238",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238"
        },
        {
          "category": "external",
          "summary": "https://netty.io/news/2019/12/18/4-1-44-Final.html",
          "url": "https://netty.io/news/2019/12/18/4-1-44-Final.html"
        }
      ],
      "release_date": "2020-01-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-12T17:00:20+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nThe JBoss server process must be restarted for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0811"
        },
        {
          "category": "workaround",
          "details": "* Use HTTP/2 instead (clear boundaries between requests)\n* Disable reuse of backend connections eg. ```http-reuse never``` in HAProxy or whatever equivalent LB settings",
          "product_ids": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss EAP 7.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.