Important: Red Hat build of Thorntail 2.5.1 security and bug fix update

Synopsis

Important: Red Hat build of Thorntail 2.5.1 security and bug fix update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat build of Thorntail.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Description

This release of Red Hat build of Thorntail 2.5.1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.

Security Fix(es):

• apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)
  
• cxf: does not restrict the number of message attachments (CVE-2019-12406)
  
• cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419)
  
• hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
  
• HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
  
• HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
  
• HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)
  
• HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)
  
• jackson-databind: Multiple serialization gadgets (CVE-2019-17531, CVE-2019-16943, CVE-2019-16942, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14893, CVE-2019-14892, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-10969, CVE-2020-10968, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2019-20330, CVE-2020-8840)
  
• jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command
  execution (CVE-2020-10672, CVE-2020-10673)
  
• keycloak: adapter endpoints are exposed via arbitrary URLs (CVE-2019-14820)
  
• keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875)
  
• keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201)
  
• keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199)
  
• keycloak: cross-realm user access auth bypass (CVE-2019-14832)
  
• netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
  
• SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729)
  
• thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
  
• thrift: Endless loop when feed with specific input data (CVE-2019-0205)
  
• undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)
  
• wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)
  
• wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838)
  
• xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400)
  

For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

The References section of this erratum contains a download link for the update. You must be logged in to download the update.

Affected Products

• Red Hat Openshift Application Runtimes Text-Only Advisories x86_64

Fixes

• BZ - 1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs
• BZ - 1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates
• BZ - 1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation
• BZ - 1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console
• BZ - 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
• BZ - 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
• BZ - 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth
• BZ - 1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
• BZ - 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
• BZ - 1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass
• BZ - 1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default
• BZ - 1755831 - CVE-2019-16335 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource
• BZ - 1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
• BZ - 1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package
• BZ - 1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package
• BZ - 1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package
• BZ - 1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
• BZ - 1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
• BZ - 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
• BZ - 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
• BZ - 1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
• BZ - 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
• BZ - 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
• BZ - 1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
• BZ - 1775293 - CVE-2019-17531 jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*
• BZ - 1793154 - CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking
• BZ - 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
• BZ - 1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader
• BZ - 1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
• BZ - 1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
• BZ - 1816170 - CVE-2019-12406 cxf: does not restrict the number of message attachments
• BZ - 1816175 - CVE-2019-12419 cxf: OpenId Connect token service does not properly validate the clientId
• BZ - 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking
• BZ - 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config
• BZ - 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap
• BZ - 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core
• BZ - 1819208 - CVE-2020-10968 jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
• BZ - 1819212 - CVE-2020-10969 jackson-databind: Serialization gadgets in javax.swing.JEditorPane
• BZ - 1821304 - CVE-2020-11111 jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory
• BZ - 1821311 - CVE-2020-11112 jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider
• BZ - 1821315 - CVE-2020-11113 jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime
• BZ - 1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
• BZ - 1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop

CVEs

• CVE-2019-0205
• CVE-2019-0210
• CVE-2019-3875
• CVE-2019-9511
• CVE-2019-9512
• CVE-2019-9514
• CVE-2019-9515
• CVE-2019-10086
• CVE-2019-10199
• CVE-2019-10201
• CVE-2019-10219
• CVE-2019-12400
• CVE-2019-12406
• CVE-2019-12419
• CVE-2019-14540
• CVE-2019-14820
• CVE-2019-14832
• CVE-2019-14838
• CVE-2019-14887
• CVE-2019-14888
• CVE-2019-14892
• CVE-2019-14893
• CVE-2019-16335
• CVE-2019-16942
• CVE-2019-16943
• CVE-2019-17267
• CVE-2019-17531
• CVE-2019-20330
• CVE-2020-1729
• CVE-2020-7238
• CVE-2020-8840
• CVE-2020-9546
• CVE-2020-9547
• CVE-2020-9548
• CVE-2020-10672
• CVE-2020-10673
• CVE-2020-10968
• CVE-2020-10969
• CVE-2020-11111
• CVE-2020-11112
• CVE-2020-11113
• CVE-2020-11619
• CVE-2020-11620

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.thorntail&version=2.5.1
• https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.5/html/release_notes_for_thorntail_2.5/