Home / mailings [RHSA-2020:0729-01] Important: Red Hat Data Grid 7.3.5 security update
Posted on 05 March 2020
RedHat===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat Data Grid 7.3.5 security update
Advisory ID: RHSA-2020:0729-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0729
Issue date: 2020-03-05
CVE Names: CVE-2015-9251 CVE-2019-14888 CVE-2019-14892
CVE-2019-14893 CVE-2019-16335
=====================================================================
1. Summary:
An update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the
Infinispan project.
This release of Red Hat Data Grid 7.3.5 serves as a replacement for Red Hat
Data Grid 7.3.4 and includes bug fixes and enhancements, which are
described in the Release Notes, linked to in the References section of this
erratum.
Security Fix(es):
* undertow: possible Denial Of Service (DOS) in Undertow HTTP server
listening on HTTPS (CVE-2019-14888)
* js-jquery: Cross-site scripting via cross-domain ajax requests
(CVE-2015-9251)
* jackson-databind: Serialization gadgets in classes of the
commons-configuration package (CVE-2019-14892)
* jackson-databind: Serialization gadgets in classes of the xalan package
(CVE-2019-14893)
* jackson-databind: polymorphic typing issue related to
com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
To install this update, do the following:
1. Download the Data Grid 7.3.5 server patch from the customer portal.
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 7.3.5 server patch. Refer to the 7.3 Release Notes
for patching instructions.
4. Restart Data Grid to ensure the changes take effect.
4. Bugs fixed (https://bugzilla.redhat.com/):
1399546 - CVE-2015-9251 js-jquery: Cross-site scripting via cross-domain ajax requests
1755831 - CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource
1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package
1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package
1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
5. References:
https://access.redhat.com/security/cve/CVE-2015-9251
https://access.redhat.com/security/cve/CVE-2019-14888
https://access.redhat.com/security/cve/CVE-2019-14892
https://access.redhat.com/security/cve/CVE-2019-14893
https://access.redhat.com/security/cve/CVE-2019-16335
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381&product=data.grid&version=7.3&downloadType=patches
https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
