Home / mailings [RHSA-2019:3931-01] Moderate: Red Hat JBoss Web Server 5.2 security release
Posted on 20 November 2019
RedHat======================================================================= Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Web Server 5.2 security release
Advisory ID: RHSA-2019:3931-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3931
Issue date: 2019-11-20
Keywords: JWS
CVE Names: CVE-2018-5407 CVE-2019-0221 CVE-2019-1559
CVE-2019-10072
=======================================================================
1. Summary:
Red Hat JBoss Web Server 5.2.0 zip release for RHEL 6, RHEL 7, RHEL 8 and
Microsoft Windows is available.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the
PicketLink Vault extension for Apache Tomcat, and the Tomcat Native
library.
Refer to the Release Notes for information on the most significant bug
fixes, enhancements and component upgrades included in this release.
Security Fix(es):
* openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures
(PortSmash) (CVE-2018-5407)
* tomcat: XSS in SSI printenv (CVE-2019-0221)
* openssl: 0-byte record padding oracle (CVE-2019-1559)
* tomcat: HTTP/2 implementation leads to denial of service (CVE-2019-10072)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1645695 - CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Th=reading architectures (PortSmash)
1683804 - CVE-2019-1559 openssl: 0-byte record padding oracle
1713275 - CVE-2019-0221 tomcat: XSS in SSI printenv
1723708 - CVE-2019-10072 tomcat: HTTP/2 connection window exhaustion on wri=te, incomplete fix of CVE-2019-0199
5. References:
https://access.redhat.com/security/cve/CVE-2018-5407
https://access.redhat.com/security/cve/CVE-2019-0221
https://access.redhat.com/security/cve/CVE-2019-1559
https://access.redhat.com/security/cve/CVE-2019-10072
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
