ID

VAR-202003-1779

CVE

CVE-2020-10672

TITLE

FasterXML jackson-databind Security hole

DESCRIPTION

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. jackson-databind is one of the components with data binding function. A security vulnerability exists in FasterXML jackson-databind 2.x prior to 2.9.10.4 due to insecure deserialization by org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aries.transaction.jms) . A remote attacker could exploit this vulnerability with specially crafted input to execute arbitrary code on the system. Description: Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. Security Fix(es): * apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) * cxf: does not restrict the number of message attachments (CVE-2019-12406) * cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419) * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219) * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) * HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) * HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511) * jackson-databind: Multiple serialization gadgets (CVE-2019-17531, CVE-2019-16943, CVE-2019-16942, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14893, CVE-2019-14892, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-10969, CVE-2020-10968, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2019-20330, CVE-2020-8840) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672, CVE-2020-10673) * keycloak: adapter endpoints are exposed via arbitrary URLs (CVE-2019-14820) * keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875) * keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201) * keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199) * keycloak: cross-realm user access auth bypass (CVE-2019-14832) * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) * SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729) * thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) * thrift: Endless loop when feed with specific input data (CVE-2019-0205) * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) * wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838) * xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Security Fix(es): * netty (CVE-2016-4970 CVE-2020-7238 CVE-2019-20444 CVE-2019-20445) * dom4j (CVE-2018-1000632) * elasticsearch (CVE-2018-3831) * pdfbox (CVE-2018-11797) * vertx (CVE-2018-12541) * spring-data-jpa (CVE-2019-3797) * mina-core (CVE-2019-0231) * jackson-databind (CVE-2019-12086 CVE-2019-16335 CVE-2019-14540 CVE-2019-17267 CVE-2019-14892 CVE-2019-14893 CVE-2019-16942 CVE-2019-16943 CVE-2019-17531 CVE-2019-20330 CVE-2020-10673 CVE-2020-10672 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11620 CVE-2020-11619 CVE-2020-14195 CVE-2020-14060 CVE-2020-14061 CVE-2020-14062) * jackson-mapper-asl (CVE-2019-10172) * hawtio (CVE-2019-9827) * undertow (CVE-2019-9511 CVE-2020-1757 CVE-2019-14888 CVE-2020-1745) * santuario (CVE-2019-12400) * apache-commons-beanutils (CVE-2019-10086) * cxf (CVE-2019-17573) * apache-commons-configuration (CVE-2020-1953) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Installation instructions are available from the Fuse 7.7.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.7/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1343616 - CVE-2016-4970 netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl 1620529 - CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents 1632452 - CVE-2018-3831 elasticsearch: Information exposure via _cluster/settings API 1637492 - CVE-2018-11797 pdfbox: unbounded computation in parser resulting in a denial of service 1638391 - CVE-2018-12541 vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake 1697598 - CVE-2019-3797 spring-data-jpa: Additional information exposure with Spring Data JPA derived queries 1700016 - CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure. 1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update Advisory ID: RHSA-2020:3463-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:3463 Issue date: 2020-08-17 CVE Names: CVE-2019-14900 CVE-2020-1710 CVE-2020-1748 CVE-2020-10672 CVE-2020-10673 CVE-2020-10683 CVE-2020-10687 CVE-2020-10693 CVE-2020-10714 CVE-2020-10718 CVE-2020-10740 CVE-2020-14297 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch 3. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.3.2 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.1 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.2 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718) * dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683) * wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) * wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests (CVE-2020-10687) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673) * hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) * wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) * jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672) * undertow: EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710) * hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693) * wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748) * wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. 4. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. For details about how to apply this update, see: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM 1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser 1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests 1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain 1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication 1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API 1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans 1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service 6. JIRA issues fixed (https://issues.jboss.org/): JBEAP-18793 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.16 to 5.3.17 JBEAP-19095 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.20 to 1.0.21 JBEAP-19134 - (7.3.z) Upgrade HAL from 3.2.8.Final-redhat-00001 to 3.2.9.Final JBEAP-19185 - (7.3.z) Upgrade IronJacamar from 1.4.20.Final to 1.4.22.Final JBEAP-19203 - (7.3.z) WFCORE-4850 - Updating mockserver to 5.9.0. Exclusion of dependency from xom.io7m JBEAP-19205 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.x JBEAP-19269 - [GSS](7.3.z) Upgrade jboss-logmanager from 2.1.14.Final to 2.1.15.Final JBEAP-19322 - (7.3.z) Upgrade XNIO from 3.7.7 to 3.7.8.SP1 JBEAP-19325 - (7.3.z) Upgrade Infinispan from 9.4.18.Final-redhat-00001 to 9.4.19.Final-redhat-00001 JBEAP-19397 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP09-redhat-00001 to 2.3.9.SP11-redhat-00001 JBEAP-19410 - Tracker bug for the EAP 7.3.2 release for RHEL-7 JBEAP-19411 - Tracker bug for the EAP 7.3.2 release for RHEL-8 JBEAP-19529 - (7.3.z) Update PR template to include PR-processor hints. JBEAP-19564 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.31.Final-redhat-00001 to 4.0.33.Final-redhat-00001 JBEAP-19585 - [GSS](7.3.z) Upgrade org.jboss.genericjms from 2.0.4 to 2.0.6 JBEAP-19617 - (7.3.z) Upgrade wildfly-naming-client from 1.0.12.Final-redhat-00001 to 1.0.13.Final-redhat-00001 JBEAP-19619 - (7.3.z) Upgrade JBoss JSF API from 3.0.0.SP02-redhat-00001 to 3.0.0.SP04-redhat-00001 JBEAP-19673 - (7.3.z) [WFCORE] Upgrade WildFly Common to 1.5.2.Final JBEAP-19674 - (7.3.z) [WFCORE] Upgrade galleon and wildfly-galleon-plugins from 4.1.2.Final to 4.2.4.Final JBEAP-19874 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.21.Final-redhat-00001 to 1.0.22.Final-redhat-00001 7. Package List: Red Hat JBoss EAP 7.3 for BaseOS-8: Source: eap7-dom4j-2.1.3-1.redhat_00001.1.el8eap.src.rpm eap7-elytron-web-1.6.2-1.Final_redhat_00001.1.el8eap.src.rpm eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el8eap.src.rpm eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el8eap.src.rpm eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-core-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-databind-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-jaxrs-providers-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el8eap.src.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el8eap.src.rpm eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-netty-4.1.48-1.Final_redhat_00001.1.el8eap.src.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el8eap.src.rpm eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el8eap.src.rpm eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-http-client-1.0.22-1.Final_redhat_00001.1.el8eap.src.rpm noarch: eap7-dom4j-2.1.3-1.redhat_00001.1.el8eap.noarch.rpm eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el8eap.noarch.rpm eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-api-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-api-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-validator-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-core-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-databind-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-datatype-jdk8-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-datatype-jsr310-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-jaxrs-base-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-netty-4.1.48-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-netty-all-4.1.48-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-server-1.6.2-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-client-common-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-modules-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2020-1710 https://access.redhat.com/security/cve/CVE-2020-1748 https://access.redhat.com/security/cve/CVE-2020-10672 https://access.redhat.com/security/cve/CVE-2020-10673 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10718 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXzqIgdzjgjWX9erEAQhAaw//ceEP1X/GXLqWVwEDOZhjR4akb8iOZC4P H8bYYEtAq7LHOTzfor0D1PsShzOfF6UjhpRYYhaFZN80Fs3cc27Pqk5MnF4qfdAf FnzZ/ze5jlclBPK+eSmGPvYCeuMK9EF+fRETRUOj0rdu3M1CLYUV1LNxOZk48Uen KRWbBEW8BzuYYUf+24ly76siqTZCW5oI+ZsMhuUqyUwxzu61uDL0nMYnOS+WZPL0 xBafLiCZ1xc0pykIuqzqHPy+cvxCqkyXDJ5cOV16jeXhp5lNB0yk0LzQnck/+wKc RJtl/ySiuUUXH/p5FY9tAphgqvA7Plh0SpsvF0/UUsQIeqoZzx2Xr295OFUSOb26 rebOBTDbky9zFWFXtRvnSo4cadQhYgemOkkKuX9NaQemyBRitvIjk0ZOw0cOtXdW 5UecnSYFC5U46VzSNmPosuTkodyA20GJDxFX9v/iRP8wbsG0IpJz/1G1DMSk1+ba oOtpxQxzuCOqhEVubkfgt0BbU4XgbYzBkKnfxfSaNVDpCCi1hCnHPC6gWR//jbP2 qEy5MmbO8Sksn16fDgBTQ/g8YATe6pa7Q5DnIe+l+0thzm8kf3l9TG+YRKjoxtSV FwlVApI2o6Ebse7EPr96Ior5xMirxVML2rKgzQc7cG2s7gXvQ2NVkC0vCGdmGUGc zQFgGc2abfE=qmbe -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . The References section of this erratum contains a download link (you must log in to download the update). The JBoss server process must be restarted for the update to take effect

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

other

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-12-21T22:48:50.034000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE