Mehrere Probleme in Red Hat build of Thorntail
ID: | RHSA-2020:2905-01 |
Distribution: | Red Hat |
Plattformen: | Red Hat OpenShift Application Runtimes |
Datum: | Do, 23. Juli 2020, 09:46 |
Referenzen: | https://access.redhat.com/security/cve/CVE-2020-1714
https://access.redhat.com/security/cve/CVE-2020-1698 https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2020-10705 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.thorntail&version=2.7.0 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-1744 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/cve/CVE-2020-1697 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1732 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1727 https://access.redhat.com/security/cve/CVE-2020-1757 |
Applikationen: | Red Hat build of Thorntail |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Thorntail 2.7.0 security and bug fix update Advisory ID: RHSA-2020:2905-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2905 Issue date: 2020-07-23 CVE Names: CVE-2019-12423 CVE-2019-17573 CVE-2020-1695 CVE-2020-1697 CVE-2020-1698 CVE-2020-1714 CVE-2020-1718 CVE-2020-1719 CVE-2020-1724 CVE-2020-1727 CVE-2020-1732 CVE-2020-1744 CVE-2020-1745 CVE-2020-1757 CVE-2020-6950 CVE-2020-10688 CVE-2020-10705 CVE-2020-10719 ===================================================================== 1. Summary: An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Thorntail 2.7.0 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) * cxf: reflected XSS in the services listing page (CVE-2019-17573) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) * Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) * resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) * undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) * keycloak: stored XSS in client settings via application links (CVE-2020-1697) * keycloak: problem with privacy after user logout (CVE-2020-1724) * keycloak: Password leak by logged exception in HttpMethod class (CVE-2020-1698) * cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) * Soteria: security identity corruption across concurrent threads (CVE-2020-1732) * keycloak: missing input validation in IDP authorization URLs (CVE-2020-1727) * keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744) * keycloak: security issue on reset credential flow (CVE-2020-1718) * keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714) * RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688) * undertow: invalid HTTP request with large chunk size (CVE-2020-10719) * undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100- continue" header (CVE-2020-10705) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass 1790292 - CVE-2020-1698 keycloak: Password leak by logged exception in HttpMethod class 1791538 - CVE-2020-1697 keycloak: stored XSS in client settings via application links 1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain 1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout 1800573 - CVE-2020-1727 keycloak: missing input validation in IDP authorization URLs 1801726 - CVE-2020-1732 Soteria: security identity corruption across concurrent threads 1803241 - CVE-2020-10705 undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 5. References: https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1697 https://access.redhat.com/security/cve/CVE-2020-1698 https://access.redhat.com/security/cve/CVE-2020-1714 https://access.redhat.com/security/cve/CVE-2020-1718 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1724 https://access.redhat.com/security/cve/CVE-2020-1727 https://access.redhat.com/security/cve/CVE-2020-1732 https://access.redhat.com/security/cve/CVE-2020-1744 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10705 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.thorntail&version=2.7.0 https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/release_notes_for_thorntail_2.7/ 6. Contact: The Red Hat security contact is |