rhsa-2020_4383
Vulnerability from csaf_redhat
Published
2020-10-28 15:49
Modified
2024-11-05 22:53
Summary
Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP5 security update

Notes

Topic
Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 5 zip release for RHEL 6, RHEL 7, RHEL 8 and Microsoft Windows is available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 5 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 4 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release. Security fix(es): * curl: Integer overflows in curl_url_set() function (CVE-2019-5435) * openssl: Integer overflow in RSAZ modular exponentiation on x86_64 (CVE-2019-1551) * httpd: mod_http2 concurrent pool usage (CVE-2020-11993) * httpd: mod_proxy_uswgi buffer overflow (CVE-2020-11984) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 5 zip release for RHEL 6, RHEL 7, RHEL 8 and Microsoft Windows is available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release adds the new Apache HTTP Server 2.4.37 Service Pack 5 packages that are part of the JBoss Core Services offering.\n\nThis release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 4 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity fix(es):\n\n* curl: Integer overflows in curl_url_set() function (CVE-2019-5435)\n* openssl: Integer overflow in RSAZ modular exponentiation on x86_64 (CVE-2019-1551)\n* httpd: mod_http2 concurrent pool usage (CVE-2020-11993)\n* httpd: mod_proxy_uswgi buffer overflow (CVE-2020-11984)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:4383",
        "url": "https://access.redhat.com/errata/RHSA-2020:4383"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "1710609",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1710609"
      },
      {
        "category": "external",
        "summary": "1780995",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1780995"
      },
      {
        "category": "external",
        "summary": "1866563",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866563"
      },
      {
        "category": "external",
        "summary": "1866564",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866564"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_4383.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP5 security update",
    "tracking": {
      "current_release_date": "2024-11-05T22:53:00+00:00",
      "generator": {
        "date": "2024-11-05T22:53:00+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2020:4383",
      "initial_release_date": "2020-10-28T15:49:25+00:00",
      "revision_history": [
        {
          "date": "2020-10-28T15:49:25+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-10-28T15:49:25+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-05T22:53:00+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Core Services 1",
                "product": {
                  "name": "Red Hat JBoss Core Services 1",
                  "product_id": "Red Hat JBoss Core Services 1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_core_services:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Core Services"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-1551",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2019-12-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1780995"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An integer overflow was found in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli.  As per upstream:\r\n\r\n* No EC algorithms are affected. \r\n\r\n* Attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. \r\n\r\n* Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway.\r\n\r\n* Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Accelerated modular exponentiation for Intel processors (RSAZ) was introduced in openssl-1.0.2, therefore older versions of OpenSSL are not affected by this flaw.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Core Services 1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-1551"
        },
        {
          "category": "external",
          "summary": "RHBZ#1780995",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1780995"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-1551",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-1551"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-1551",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1551"
        },
        {
          "category": "external",
          "summary": "https://github.com/openssl/openssl/pull/10575",
          "url": "https://github.com/openssl/openssl/pull/10575"
        },
        {
          "category": "external",
          "summary": "https://www.openssl.org/news/secadv/20191206.txt",
          "url": "https://www.openssl.org/news/secadv/20191206.txt"
        }
      ],
      "release_date": "2019-12-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-10-28T15:49:25+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
          "product_ids": [
            "Red Hat JBoss Core Services 1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:4383"
        },
        {
          "category": "workaround",
          "details": "For Red Hat Enterprise Linux 7, 512 bit DH is already disabled. As this bug is about leakage of the private key to the attacker, it should be fully sufficient to just not use 1024 bit RSA keys or 1024 bit DSA keys. These keys are not secure enough anyway. 3-prime RSA keys are not supported on RHEL-7.\n\nFor Red Hat Enterprise 8, The DEFAULT crypto policy already disables all these key sizes.\n\nAlso applications compiled with openssl which use the low level  API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME, other users of this API are not affected by this flaw.",
          "product_ids": [
            "Red Hat JBoss Core Services 1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Core Services 1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Curl project"
          ]
        },
        {
          "names": [
            "Wenchao Li"
          ],
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2019-5435",
      "cwe": {
        "id": "CWE-131",
        "name": "Incorrect Calculation of Buffer Size"
      },
      "discovery_date": "2019-05-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1710609"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An integer overflow in curl\u0027s URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "curl: Integer overflows in curl_url_set() function",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Core Services 1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-5435"
        },
        {
          "category": "external",
          "summary": "RHBZ#1710609",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1710609"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-5435",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-5435"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-5435",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5435"
        }
      ],
      "release_date": "2019-05-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-10-28T15:49:25+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
          "product_ids": [
            "Red Hat JBoss Core Services 1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:4383"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Core Services 1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "curl: Integer overflows in curl_url_set() function"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Apache project"
          ]
        }
      ],
      "cve": "CVE-2020-11984",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2020-08-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1866563"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache httpd in versions 2.4.32 to 2.4.46. The uwsgi protocol does not serialize more than 16K of HTTP header leading to resource exhaustion and denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: mod_proxy_uwsgi buffer overflow",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Enterprise Linux 5, 6, and 7 do not ship the vulnerable version of httpd and, thus, are not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Core Services 1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11984"
        },
        {
          "category": "external",
          "summary": "RHBZ#1866563",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866563"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11984",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11984"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11984",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11984"
        },
        {
          "category": "external",
          "summary": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11984",
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11984"
        }
      ],
      "release_date": "2020-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-10-28T15:49:25+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
          "product_ids": [
            "Red Hat JBoss Core Services 1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:4383"
        },
        {
          "category": "workaround",
          "details": "This flaw only affects specific httpd configurations which use the uwsgi protocol. It does not manifest itself when uwsgi protocol  is not used. Commenting out \"LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so\" in /etc/httpd/conf.modules.d/00-proxy.conf will disable the loading of the vulnerable module.",
          "product_ids": [
            "Red Hat JBoss Core Services 1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Core Services 1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "httpd: mod_proxy_uwsgi buffer overflow"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "the Apache project"
          ]
        }
      ],
      "cve": "CVE-2020-11993",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2020-08-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1866564"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by mod_http2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "httpd: mod_http2 concurrent pool usage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Enterprise Linux 5, 6, and 7 do not ship the vulnerable version of httpd and, thus, are not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Core Services 1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-11993"
        },
        {
          "category": "external",
          "summary": "RHBZ#1866564",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1866564"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11993",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-11993"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11993",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11993"
        },
        {
          "category": "external",
          "summary": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993",
          "url": "https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993"
        }
      ],
      "release_date": "2020-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-10-28T15:49:25+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
          "product_ids": [
            "Red Hat JBoss Core Services 1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:4383"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Core Services 1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "httpd: mod_http2 concurrent pool usage"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.