Red Hat Security Advisory: Red Hat build of Thorntail 2.5.1 security and bug fix update
🔗 CVE IDs covered (43)
📋 Description
CVE-2019-0205 — thrift: Endless loop when feed with specific input data CVE-2019-0210 — thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol CVE-2019-3875 — keycloak: missing signatures validation on CRL used to verify client certificates CVE-2019-9511 — HTTP/2: large amount of data requests leads to denial of service CVE-2019-9512 — HTTP/2: flood using PING frames results in unbounded memory growth CVE-2019-9514 — HTTP/2: flood using HEADERS frames results in unbounded memory growth CVE-2019-9515 — HTTP/2: flood using SETTINGS frames results in unbounded memory growth CVE-2019-10086 — apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default CVE-2019-10199 — keycloak: CSRF check missing in My Resources functionality in the Account Console CVE-2019-10201 — keycloak: SAML broker does not check existence of signature on document allowing any user impersonation CVE-2019-10219 — hibernate-validator: safeHTML validator allows XSS CVE-2019-12400 — xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source CVE-2019-12406 — cxf: does not restrict the number of message attachments CVE-2019-12419 — cxf: OpenId Connect token service does not properly validate the clientId CVE-2019-14540 — jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig CVE-2019-14820 — keycloak: adapter endpoints are exposed via arbitrary URLs CVE-2019-14832 — keycloak: cross-realm user access auth bypass CVE-2019-14838 — wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default CVE-2019-14887 — wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use CVE-2019-14888 — undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS CVE-2019-14892 — jackson-databind: Serialization gadgets in classes of the commons-configuration package CVE-2019-14893 — jackson-databind: Serialization gadgets in classes of the xalan package CVE-2019-16335 — jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource CVE-2019-16942 — jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* CVE-2019-16943 — jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource CVE-2019-17267 — jackson-databind: Serialization gadgets in classes of the ehcache package CVE-2019-17531 — jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* CVE-2019-20330 — jackson-databind: lacks certain net.sf.ehcache blocking CVE-2020-1729 — SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader CVE-2020-7238 — netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling CVE-2020-8840 — jackson-databind: Lacks certain xbean-reflect/JNDI blocking CVE-2020-9546 — jackson-databind: Serialization gadgets in shaded-hikari-config CVE-2020-9547 — jackson-databind: Serialization gadgets in ibatis-sqlmap CVE-2020-9548 — jackson-databind: Serialization gadgets in anteros-core CVE-2020-10672 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10673 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10968 — jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider CVE-2020-10969 — jackson-databind: Serialization gadgets in javax.swing.JEditorPane CVE-2020-11111 — jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory CVE-2020-11112 — jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider CVE-2020-11113 — jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime CVE-2020-11619 — jackson-databind: Serialization gadgets in org.springframework:spring-aop CVE-2020-11620 — jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
🔗 References (48)
- selfhttps://access.redhat.com/errata/RHSA-2020:2067
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.thorntail&version=2.5.1
- externalhttps://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.5/html/release_notes_for_thorntail_2.5/
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1649870
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1690628
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1728609
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1729261
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1735645
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1735744
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1735745
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1738673
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1741860
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1749487
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1751227
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1755831
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1755849
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758167
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758171
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758182
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758187
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1758191
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1764607
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1764612
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1764658
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1767483
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1772008
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1772464
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1775293
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1793154
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1796225
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1802444
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1815470
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1815495
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816170
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816175
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816330
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816332
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816337
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816340
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1819208
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1819212
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1821304
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1821311
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1821315
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1826798
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1826805
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2067.json