VARIoT IoT vulnerabilities database
| VAR-202004-0455 | CVE-2020-11791 | NETGEAR JGS516PE cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
NETGEAR JGS516PE devices before 2.6.0.43 are affected by reflected XSS. plural NETGEAR JGS516PE A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR JGS516PE is a switch of NETGEAR. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code
| VAR-202004-0205 | CVE-2020-10951 | Western Digital My Cloud Home and ibi Vulnerability regarding improper restrictions on rendered user interface layers or frames on devices |
CVSS V2: 4.3 CVSS V3: 4.7 Severity: MEDIUM |
Western Digital My Cloud Home and ibi devices before 2.2.0 allow clickjacking on sign-in pages. Western Digital My Cloud is a personal cloud storage device of Western Digital (Western Digital). Attackers can use this vulnerability to hijack click operations on the login page
| VAR-202004-0924 | CVE-2019-20659 | plural NETGEAR Injection vulnerabilities in devices |
CVSS V2: 6.5 CVSS V3: 7.2 Severity: HIGH |
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects R6400v2 before 1.0.4.84, R6700 before 1.0.2.8, R6700v3 before 1.0.4.84, R6900 before 1.0.2.8, and R7900 before 1.0.3.10. plural NETGEAR A device contains an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR R6400 is a wireless router of NETGEAR.
There are injection vulnerabilities in many NETGEAR products, which can be exploited by an attacker to cause the system or product to produce an incorrect interpretation or interpretation method
| VAR-202004-0892 | CVE-2019-20652 | NETGEAR WAC505 Information leakage vulnerabilities in devices |
CVSS V2: 2.1 CVSS V3: 6.5 Severity: MEDIUM |
NETGEAR WAC505 devices before 8.2.1.16 are affected by disclosure of sensitive information
| VAR-202004-0486 | CVE-2020-11777 | plural NETGEAR Cross-site scripting vulnerabilities in devices |
CVSS V2: 3.5 CVSS V3: 4.8 Severity: MEDIUM |
Certain NETGEAR devices are affected by Stored XSS. This affects D7800 before 1.0.1.56, R7500v2 before 1.0.3.46, R7800 before 1.0.2.68, R8900 before 1.0.4.28, R9000 before 1.0.4.28, RAX120 before 1.0.0.78, XR500 before 2.3.2.56, and XR700 before 1.0.1.10. plural NETGEAR A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with
| VAR-202004-0893 | CVE-2019-20653 | NETGEAR Input verification vulnerabilities on devices |
CVSS V2: 3.3 CVSS V3: 6.5 Severity: MEDIUM |
Certain NETGEAR devices are affected by denial of service. This affects WAC505 before 8.0.6.4 and WAC510 before 8.0.6.4. NETGEAR The device contains an input verification vulnerability.Service operation interruption (DoS) It may be put into a state
| VAR-202004-0913 | CVE-2019-20679 | NETGEAR MR1100 Input verification vulnerabilities on devices |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
NETGEAR MR1100 devices before 12.06.08.00 are affected by lack of access control at the function level. NETGEAR MR1100 The device contains an input verification vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. NETGEAR MR1100 is a wireless router of NETGEAR.
NETGEAR MR1100 versions prior to 12.06.08.00 have input validation error vulnerabilities, and no detailed vulnerability details are currently provided
| VAR-202004-0479 | CVE-2020-11770 | plural NETGEAR Injection vulnerabilities in devices |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
Certain NETGEAR devices are affected by command injection by an authenticated user. This affects D6220 before 1.0.0.52, D6400 before 1.0.0.86, D7000v2 before 1.0.0.53, D8500 before 1.0.3.44, R6220 before 1.1.0.80, R6250 before 1.0.4.34, R6260 before 1.1.0.64, R6400 before 1.0.1.46, R6400v2 before 1.0.2.66, R6700 before 1.0.2.6, R6700v2 before 1.2.0.36, R6700v3 before 1.0.2.66, R6800 before 1.2.0.36, R6900 before 1.0.2.4, R6900P before 1.3.1.64, R6900v2 before 1.2.0.36, R7000 before 1.0.9.42, R7000P before 1.3.1.64, R7100LG before 1.0.0.50, R7300DST before 1.0.0.70, R7800 before 1.0.2.60, R7900 before 1.0.3.8, R7900P before 1.4.1.30, R8000 before 1.0.4.28, R8000P before 1.4.1.30, R8300 before 1.0.2.128, R8500 before 1.0.2.128, R8900 before 1.0.4.12, R9000 before 1.0.4.12, and XR500 before 2.3.2.32. plural NETGEAR A device contains an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state
| VAR-202004-1843 | CVE-2020-5721 | MikroTik WinBox Vulnerability regarding inadequate protection of credentials in |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router. MikroTik WinBox Exists in an inadequate protection of credentials.Information may be obtained. MikroTik WinBox could allow a local malicious user to obtain sensitive information, caused by the storage of user credentials in plain-text in the settings.cfg.viw configuration file
| VAR-202004-0935 | CVE-2019-20670 | plural NETGEAR Cross-site scripting vulnerabilities in devices |
CVSS V2: 3.5 CVSS V3: 4.8 Severity: MEDIUM |
Certain NETGEAR devices are affected by stored XSS. This affects RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30. NETGEAR RBR50 , RBS50 , RBK50 A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR RBK50 is a wireless router of NETGEAR. This vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute Client code. This affects RBR50 prior to 2.3.5.30, RBS50 prior to 2.3.5.30, and RBK50 prior to 2.3.5.30
| VAR-202004-1243 | CVE-2020-3194 | Microsoft Windows for Cisco Webex Network Recording Player and Webex Player Buffer error vulnerability in |
CVSS V2: 9.3 CVSS V3: 7.8 Severity: HIGH |
A vulnerability in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows could allow an attacker to execute arbitrary code on an affected system. The vulnerability exists due to insufficient validation of certain elements with a Webex recording stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF). An attacker could exploit this vulnerability by sending a user a malicious ARF or WRF file through a link or email attachment and persuading the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to execute arbitrary code on the affected system with the privileges of the targeted user. (DoS) It may be put into a state
| VAR-202004-1236 | CVE-2020-3177 | Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition Past Traversal Vulnerability in |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An attacker could exploit this vulnerability by sending a crafted request to the TAPS interface. A successful exploit could allow the attacker to read arbitrary files in the system. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution
| VAR-202004-1251 | CVE-2020-3251 | Cisco UCS Director and UCS Director Express for Big Data Past Traversal Vulnerability in |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. (DoS) It may be put into a state. Cisco UCS Director is a heterogeneous platform for Private Cloud Infrastructure as a Service (IaaS). A remote attacker could exploit this vulnerability by sending a specially crafted request to execute code on the system
| VAR-202004-1252 | CVE-2020-3252 | Cisco UCS Director and UCS Director Express for Big Data Past Traversal Vulnerability in |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco UCS Director is a heterogeneous platform of private cloud infrastructure as a service (IaaS) of Cisco (Cisco). A path traversal vulnerability exists in the REST API endpoints in Cisco UCS Director due to the program not adequately validating user input sent to the REST API. A remote attacker could exploit this vulnerability by sending a specially crafted request to read arbitrary files on the system
| VAR-202004-0934 | CVE-2019-20669 | plural NETGEAR Cross-site scripting vulnerabilities in devices |
CVSS V2: 3.5 CVSS V3: 4.8 Severity: MEDIUM |
Certain NETGEAR devices are affected by stored XSS. This affects RBR20 before 2.3.5.26, RBS20 before 2.3.5.26, RBK20 before 2.3.5.26, RBR40 before 2.3.5.30, RBS40 before 2.3.5.30, RBK40 before 2.3.5.30, RBR50 before 2.3.5.30, RBS50 before 2.3.5.30, and RBK50 before 2.3.5.30. plural NETGEAR A cross-site scripting vulnerability exists in the device.Information may be obtained and tampered with. NETGEAR RBK50 is a wireless router of NETGEAR. The vulnerability stems from the lack of proper verification of client data by WEB applications. Attackers can use this vulnerability to execute client code. This affects RBR20 prior to 2.3.5.26, RBS20 prior to 2.3.5.26, RBK20 prior to 2.3.5.26, RBR40 prior to 2.3.5.30, RBS40 prior to 2.3.5.30, RBK40 prior to 2.3.5.30, RBR50 prior to 2.3.5.30, RBS50 prior to 2.3.5.30, and RBK50 prior to 2.3.5.30
| VAR-202004-1234 | CVE-2020-3161 |
Cisco IP Phones Input verification vulnerability in
Related entries in the VARIoT exploits database: VAR-E-202004-0257 |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
A vulnerability in the web server for Cisco IP Phones could allow an unauthenticated, remote attacker to execute code with root privileges or cause a reload of an affected IP phone, resulting in a denial of service (DoS) condition. The vulnerability is due to a lack of proper input validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web server of a targeted device. A successful exploit could allow the attacker to remotely execute code with root privileges or cause a reload of an affected IP phone, resulting in a DoS condition. Cisco IP Phones There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Cisco IP Phone 7811, etc. are all IP phones of the American company Cisco.
There are input validation error vulnerabilities in the Web servers of many Cisco products
| VAR-202004-2103 | CVE-2020-9070 | Huawei Taurus-AL00B information disclosure vulnerability |
CVSS V2: 4.3 CVSS V3: 5.5 Severity: MEDIUM |
Huawei smartphones Taurus-AL00B with versions earlier than 10.0.0.205(C00E201R7P2) have an improper authentication vulnerability. The software insufficiently validate the user's identity when a user wants to do certain operation. An attacker can trick user into installing a malicious application to exploit this vulnerability. Successful exploit may cause some information disclosure. Huawei smartphone Taurus-AL00B There is an information leakage vulnerability in.Information may be obtained. Huawei Taurus-AL00B is a smart phone of China's Huawei company. The vulnerability stems from the program's inability to fully verify the user's identity
| VAR-202004-1244 | CVE-2020-3239 | Cisco UCS Director and Cisco UCS Director Express for Big Data Past Traversal Vulnerability in |
CVSS V2: 9.0 CVSS V3: 8.8 Severity: HIGH |
Multiple vulnerabilities in the REST API of Cisco UCS Director and Cisco UCS Director Express for Big Data may allow a remote attacker to bypass authentication or conduct directory traversal attacks on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. (DoS) It may be put into a state. Authentication is not required to exploit this vulnerability.The specific flaw exists within the processing of zip files by the LargeFileUploadServlet endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of root. Cisco UCS Director is a heterogeneous platform for Private Cloud Infrastructure as a Service (IaaS)
| VAR-202005-1054 | CVE-2020-10683 | dom4j In XML External entity vulnerabilities |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. dom4j To XML There is a vulnerability in an external entity.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. dom4j is an open source framework for processing XML. A code issue vulnerability exists in dom4j versions prior to 2.0.3 and 2.1.x versions prior to 2.1.3. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products. ==========================================================================
Ubuntu Security Notice USN-4575-1
October 13, 2020
dom4j vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
dom4j could be made to expose sensitive information or run programs if it
received specially crafted input.
Software Description:
- dom4j: Flexible XML framework for Java
Details:
It was discovered that dom4j incorrectly handled reading XML data. A
remote attacker could exploit this with a crafted XML file to expose
sensitive data or possibly execute arbitrary code. (CVE-2020-10683)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
libdom4j-java 1.6.1+dfsg.3-2ubuntu1.1
In general, a standard system update will make all the necessary changes.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.
Installation instructions are available from the Fuse 7.8.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/
4.
The References section of this erratum contains a download link (you must
log in to download the update).
The JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update
Advisory ID: RHSA-2020:3462-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2020:3462
Issue date: 2020-08-17
CVE Names: CVE-2019-14900 CVE-2020-1710 CVE-2020-1748
CVE-2020-10672 CVE-2020-10673 CVE-2020-10683
CVE-2020-10687 CVE-2020-10693 CVE-2020-10714
CVE-2020-10718 CVE-2020-10740 CVE-2020-14297
====================================================================
1. Summary:
An update is now available for Red Hat JBoss Enterprise Application
Platform 7.3 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss EAP 7.3 for RHEL 7 Server - noarch
3. Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.2 serves
as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.1,
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise
Application Platform 7.3.2 Release Notes for information about the most
significant bug fixes and enhancements included in this release.
Security Fix(es):
* wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API
(CVE-2020-10718)
* dom4j: XML External Entity vulnerability in default SAX parser
(CVE-2020-10683)
* wildfly-elytron: session fixation when using FORM authentication
(CVE-2020-10714)
* wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to
permitting invalid characters in HTTP requests (CVE-2020-10687)
* jackson-databind: mishandles the interaction between serialization
gadgets and typing which could result in remote command execution
(CVE-2020-10673)
* hibernate-core: hibernate: SQL injection issue in Hibernate ORM
(CVE-2019-14900)
* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
(CVE-2020-10740)
* jackson-databind: mishandles the interaction between serialization
gadgets and typing which could result in remote command execution
(CVE-2020-10672)
* undertow: EAP: field-name is not parsed in accordance to RFC7230
(CVE-2020-1710)
* hibernate-validator: Improper input validation in the interpolation of
constraint error messages (CVE-2020-10693)
* wildfly: Improper authorization issue in WildFlySecurityManager when
using alternative protection domain (CVE-2020-1748)
* wildfly: Some EJB transaction objects may get accumulated causing Denial
of Service (CVE-2020-14297)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, see the CVE page(s) listed in the
References section.
4. Solution:
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM
1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser
1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests
1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230
1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages
1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain
1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution
1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication
1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API
1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service
6. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-18793 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.16 to 5.3.17
JBEAP-19095 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.20 to 1.0.21
JBEAP-19134 - (7.3.z) Upgrade HAL from 3.2.8.Final-redhat-00001 to 3.2.9.Final
JBEAP-19185 - (7.3.z) Upgrade IronJacamar from 1.4.20.Final to 1.4.22.Final
JBEAP-19203 - (7.3.z) WFCORE-4850 - Updating mockserver to 5.9.0. Exclusion of dependency from xom.io7m
JBEAP-19205 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.x
JBEAP-19269 - [GSS](7.3.z) Upgrade jboss-logmanager from 2.1.14.Final to 2.1.15.Final
JBEAP-19322 - (7.3.z) Upgrade XNIO from 3.7.7 to 3.7.8.SP1
JBEAP-19325 - (7.3.z) Upgrade Infinispan from 9.4.18.Final-redhat-00001 to 9.4.19.Final-redhat-00001
JBEAP-19397 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP09-redhat-00001 to 2.3.9.SP11-redhat-00001
JBEAP-19410 - Tracker bug for the EAP 7.3.2 release for RHEL-7
JBEAP-19529 - (7.3.z) Update PR template to include PR-processor hints.
JBEAP-19564 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.31.Final-redhat-00001 to 4.0.33.Final-redhat-00001
JBEAP-19585 - [GSS](7.3.z) Upgrade org.jboss.genericjms from 2.0.4 to 2.0.6
JBEAP-19617 - (7.3.z) Upgrade wildfly-naming-client from 1.0.12.Final-redhat-00001 to 1.0.13.Final-redhat-00001
JBEAP-19619 - (7.3.z) Upgrade JBoss JSF API from 3.0.0.SP02-redhat-00001 to 3.0.0.SP04-redhat-00001
JBEAP-19673 - (7.3.z) [WFCORE] Upgrade WildFly Common to 1.5.2.Final
JBEAP-19674 - (7.3.z) [WFCORE] Upgrade galleon and wildfly-galleon-plugins from 4.1.2.Final to 4.2.4.Final
JBEAP-19874 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.21.Final-redhat-00001 to 1.0.22.Final-redhat-00001
7. Package List:
Red Hat JBoss EAP 7.3 for RHEL 7 Server:
Source:
eap7-dom4j-2.1.3-1.redhat_00001.1.el7eap.src.rpm
eap7-elytron-web-1.6.2-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el7eap.src.rpm
eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el7eap.src.rpm
eap7-jackson-core-2.10.4-1.redhat_00001.1.el7eap.src.rpm
eap7-jackson-databind-2.10.4-1.redhat_00001.1.el7eap.src.rpm
eap7-jackson-jaxrs-providers-2.10.4-1.redhat_00001.1.el7eap.src.rpm
eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el7eap.src.rpm
eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el7eap.src.rpm
eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el7eap.src.rpm
eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el7eap.src.rpm
eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el7eap.src.rpm
eap7-netty-4.1.48-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el7eap.src.rpm
eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el7eap.src.rpm
eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el7eap.src.rpm
eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el7eap.src.rpm
eap7-wildfly-http-client-1.0.22-1.Final_redhat_00001.1.el7eap.src.rpm
noarch:
eap7-dom4j-2.1.3-1.redhat_00001.1.el7eap.noarch.rpm
eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el7eap.noarch.rpm
eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-core-5.3.17-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-entitymanager-5.3.17-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-envers-5.3.17-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-java8-5.3.17-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-hibernate-validator-cdi-6.0.20-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-cachestore-jdbc-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-cachestore-remote-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-client-hotrod-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-commons-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-core-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-hibernate-cache-commons-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-hibernate-cache-spi-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-infinispan-hibernate-cache-v53-9.4.19-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-api-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-impl-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-common-spi-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-core-api-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-core-impl-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-deployers-common-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-jdbc-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-ironjacamar-validator-1.4.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-core-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-databind-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-datatype-jdk8-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-datatype-jsr310-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-jaxrs-base-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-module-jaxb-annotations-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-cli-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-core-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.0-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.1-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-eap7.3-server-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.0-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly10.1-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly11.0-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly12.0-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly13.0-server-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly14.0-server-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly15.0-server-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly16.0-server-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly17.0-server-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly18.0-server-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly8.2-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-server-migration-wildfly9.0-1.7.1-7.Final_redhat_00009.1.el7eap.noarch.rpm
eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-4.1.48-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-netty-all-4.1.48-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el7eap.noarch.rpm
eap7-undertow-server-1.6.2-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-elytron-tool-1.10.7-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-client-common-1.0.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-ejb-client-1.0.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-naming-client-1.0.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-http-transaction-client-1.0.22-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk11-7.3.2-4.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk8-7.3.2-4.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-javadocs-7.3.2-4.GA_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-modules-7.3.2-4.GA_redhat_00002.1.el7eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
8. References:
https://access.redhat.com/security/cve/CVE-2019-14900
https://access.redhat.com/security/cve/CVE-2020-1710
https://access.redhat.com/security/cve/CVE-2020-1748
https://access.redhat.com/security/cve/CVE-2020-10672
https://access.redhat.com/security/cve/CVE-2020-10673
https://access.redhat.com/security/cve/CVE-2020-10683
https://access.redhat.com/security/cve/CVE-2020-10687
https://access.redhat.com/security/cve/CVE-2020-10693
https://access.redhat.com/security/cve/CVE-2020-10714
https://access.redhat.com/security/cve/CVE-2020-10718
https://access.redhat.com/security/cve/CVE-2020-10740
https://access.redhat.com/security/cve/CVE-2020-14297
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
9. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXzqIZtzjgjWX9erEAQgbmw/9EMmKKCCwal4bB6c8JuVi9V1qwN8+GJA4
BT8rEG7nDCffXvCdGzhPj1JofUlvVLcMX6T7DhC7DJ3acsCFoMvpVvranRkhnXkj
9sIZxPYy2ZFRIXWt8tUvVYeYZdKJ+dKsHRzzCetQr0vd9L9gWuGUZcroS+PTdkCn
2Us87nq0bPNqMAX4q5iqs/+yM7WrcmL8bJELEFU+QwZQOtqKpnOiCUVwUnPxHuAB
gTk5DLAdJaj/FFmQH0l2Qc0brTXRvcjFLhme3ygQcfiOB0bh4KO+ykhOS+lznCIB
a33P5m0/eXkdjMuT9PxxllMpE3cygCrN0caFwm5F/rJVUczc6MNBCWQ2605xiiNt
xQOh429J3J9S+Ew+hwBsaWRwKgibItBI3aa/AiUHHPnwj5Q33hj3+2/53k7QuN/0
59JqQ1hOz7x857G2HaAPiCWu3QDhHqfdhewrLpCEnrO0HhLiPoHou8tuD8UnITws
OfWtjSw0bwBnhb3OsmGlQxHtIDfY+TpJKQ6YPukUmc0KiRfC695HNgk91b4u5M5O
42Oo9g4g4rxVezCI1+WaN1KRA1J7yUTmvAFuz/1QervXpvw1xGbILLqlJI7maNnX
bN4s3UgKVYLg/hlGiOMvLVTAuHY8OIyiijNoAcHXZv63+AGWQTRUihyIpl8KcFIr
V2uaf/+66c0=doZv
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Description:
Red Hat Decision Manager is an open source decision management platform
that combines business rules management, complex event processing, Decision
Model & Notation (DMN) execution, and Business Optimizer for solving
planning problems. It automates business decisions and makes that logic
available to the entire business. Description:
Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications
| VAR-202004-1137 | CVE-2020-2830 | Ubuntu Security Notice USN-4337-1 |
CVSS V2: 5.0 CVSS V3: 5.3 Severity: MEDIUM |
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
(CVE-2020-2754, CVE-2020-2755). ==========================================================================
Ubuntu Security Notice USN-4337-1
April 22, 2020
openjdk-8, openjdk-lts vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in OpenJDK.
Software Description:
- openjdk-8: Open Source Java implementation
- openjdk-lts: Open Source Java implementation
Details:
It was discovered that OpenJDK incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause a denial of
service while processing a specially crafted regular expression.
(CVE-2020-2754, CVE-2020-2755)
It was discovered that OpenJDK incorrectly handled class descriptors and
catching exceptions during object stream deserialization. An attacker could
possibly use this issue to cause a denial of service while processing a
specially crafted serialized input. (CVE-2020-2756, CVE-2020-2757)
Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and
Robert Merget discovered that OpenJDK incorrectly handled certificate messages
during TLS handshake. An attacker could possibly use this issue to bypass
certificate verification and insert, edit or obtain sensitive information. This
issue only affected OpenJDK 11. (CVE-2020-2767)
It was discovered that OpenJDK incorrectly handled exceptions thrown by
unmarshalKeyInfo() and unmarshalXMLSignature(). An attacker could possibly use
this issue to cause a denial of service while reading key info or XML signature
data from XML input. (CVE-2020-2773)
Peter Dettman discovered that OpenJDK incorrectly handled SSLParameters in
setAlgorithmConstraints(). An attacker could possibly use this issue to
override the defined systems security policy and lead to the use of weak
crypto algorithms that should be disabled. This issue only affected
OpenJDK 11. (CVE-2020-2778)
Simone Bordet discovered that OpenJDK incorrectly re-used single null TLS
sessions for new TLS connections. A remote attacker could possibly use this
issue to cause a denial of service. (CVE-2020-2781)
Dan Amodio discovered that OpenJDK did not restrict the use of CR and LF
characters in values for HTTP headers. An attacker could possibly use this
issue to insert, edit or obtain sensitive information. (CVE-2020-2800)
Nils Emmerich discovered that OpenJDK incorrectly checked boundaries or
argument types. An attacker could possibly use this issue to bypass sandbox
restrictions causing unspecified impact. (CVE-2020-2803, CVE-2020-2805)
It was discovered that OpenJDK incorrectly handled application data packets
during TLS handshake. An attacker could possibly use this issue to insert,
edit or obtain sensitive information. This issue only affected OpenJDK 11.
(CVE-2020-2816)
It was discovered that OpenJDK incorrectly handled certain regular
expressions. An attacker could possibly use this issue to cause a denial of
service. (CVE-2020-2830)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
openjdk-11-jdk 11.0.7+10-2ubuntu2~19.10
openjdk-11-jre 11.0.7+10-2ubuntu2~19.10
openjdk-11-jre-headless 11.0.7+10-2ubuntu2~19.10
openjdk-11-jre-zero 11.0.7+10-2ubuntu2~19.10
openjdk-8-jdk 8u252-b09-1~19.10
openjdk-8-jre 8u252-b09-1~19.10
openjdk-8-jre-headless 8u252-b09-1~19.10
openjdk-8-jre-zero 8u252-b09-1~19.10
Ubuntu 18.04 LTS:
openjdk-11-jdk 11.0.7+10-2ubuntu2~18.04
openjdk-11-jre 11.0.7+10-2ubuntu2~18.04
openjdk-11-jre-headless 11.0.7+10-2ubuntu2~18.04
openjdk-11-jre-zero 11.0.7+10-2ubuntu2~18.04
openjdk-8-jdk 8u252-b09-1~18.04
openjdk-8-jre 8u252-b09-1~18.04
openjdk-8-jre-headless 8u252-b09-1~18.04
openjdk-8-jre-zero 8u252-b09-1~18.04
Ubuntu 16.04 LTS:
openjdk-8-jdk 8u252-b09-1~16.04
openjdk-8-jre 8u252-b09-1~16.04
openjdk-8-jre-headless 8u252-b09-1~16.04
openjdk-8-jre-jamvm 8u252-b09-1~16.04
openjdk-8-jre-zero 8u252-b09-1~16.04
This update uses a new upstream release, which includes additional bug
fixes. 8.0) - aarch64, noarch, ppc64le, s390x, x86_64
3. 8.0) - aarch64, ppc64le, s390x, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* operator-framework/presto: /etc/passwd was given incorrect privileges
(CVE-2019-19352)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- -cli.html. Bugs fixed (https://bugzilla.redhat.com/):
1793281 - CVE-2019-19352 operator-framework/presto: /etc/passwd is given incorrect privileges
5. 7) - x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.8.0-openjdk security update
Advisory ID: RHSA-2020:1512-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1512
Issue date: 2020-04-21
CVE Names: CVE-2020-2754 CVE-2020-2755 CVE-2020-2756
CVE-2020-2757 CVE-2020-2773 CVE-2020-2781
CVE-2020-2800 CVE-2020-2803 CVE-2020-2805
CVE-2020-2830
=====================================================================
1. Summary:
An update for java-1.8.0-openjdk is now available for Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3. Description:
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.
Security Fix(es):
* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
(CVE-2020-2803)
* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,
8235274) (CVE-2020-2805)
* OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and
DOMXMLSignatureFactory (Security, 8231415) (CVE-2020-2773)
* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
(CVE-2020-2781)
* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP
Server, 8234825) (CVE-2020-2800)
* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
(CVE-2020-2830)
* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner
(Scripting, 8223898) (CVE-2020-2754)
* OpenJDK: Incorrect handling of empty string nodes in regular expression
Parser (Scripting, 8223904) (CVE-2020-2755)
* OpenJDK: Incorrect handling of references to uninitialized class
descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)
* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass
(Serialization, 8224549) (CVE-2020-2757)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of OpenJDK Java must be restarted for this update to
take effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898)
1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904)
1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)
1823224 - CVE-2020-2773 OpenJDK: Unexpected exceptions raised by DOMKeyInfoFactory and DOMXMLSignatureFactory (Security, 8231415)
1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)
1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
x86_64:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
x86_64:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
ppc64:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.ppc64.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.ppc64.rpm
ppc64le:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64le.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.ppc64le.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.ppc64le.rpm
s390x:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.s390x.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.s390x.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.s390x.rpm
x86_64:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
ppc64:
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.ppc64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.ppc64.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.ppc64.rpm
ppc64le:
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.ppc64le.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.ppc64le.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.ppc64le.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.ppc64le.rpm
s390x:
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.s390x.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.s390x.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.s390x.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.s390x.rpm
x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.src.rpm
x86_64:
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.252.b09-2.el7_8.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
java-1.8.0-openjdk-javadoc-1.8.0.252.b09-2.el7_8.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.252.b09-2.el7_8.noarch.rpm
x86_64:
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-debuginfo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.252.b09-2.el7_8.x86_64.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.i686.rpm
java-1.8.0-openjdk-src-1.8.0.252.b09-2.el7_8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-2754
https://access.redhat.com/security/cve/CVE-2020-2755
https://access.redhat.com/security/cve/CVE-2020-2756
https://access.redhat.com/security/cve/CVE-2020-2757
https://access.redhat.com/security/cve/CVE-2020-2773
https://access.redhat.com/security/cve/CVE-2020-2781
https://access.redhat.com/security/cve/CVE-2020-2800
https://access.redhat.com/security/cve/CVE-2020-2803
https://access.redhat.com/security/cve/CVE-2020-2805
https://access.redhat.com/security/cve/CVE-2020-2830
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXp7Zs9zjgjWX9erEAQijNg//Wv9fjFvkxHC42Hd5YcN8qnGcf6gdOYDW
pAv6Tv6q9pstko1bcUZYa0V01XejJYe/5uAADu3QGe1aMihI0VMjXrlFULW1laNS
QTRtsnzTac5Gm3cJZKDXIv1ITI+fgGBWOvwN9lketAQtO5su+JbPTPQ4S0rBy55D
gAVa8RVPi6qQt85HmXDrrpaAI2N8EFVkJBpC9ZRRFtI5wTv//bVx29Qw/sthlN3N
qXwO8KZI44Xbe+vb6QpGcNkly+Dh7CdeVFV1OVkqx8eOVA8Cj45NAeBgP1W8n2VQ
zt0GiKCbrV49e2AsBgmK49/J3N2L9xalsHSn54+6N02rcjf4dseV5flz5/unSIDc
gPqFCTRbGZcIdjFbilvsklGBVfBzXjw5SjUemMKYggXa+6L74O+kuH4TRZRXhmEX
70Kvn1w0ta8P1bxK0A6BM6ZnDo5f7jVIQipk2M/hw6SDzu7ZA5zbDRCg419AZ8qc
syuuHWmdfpRRj0XlUw5eBfBUq8UL+huEfRvu85zBhvhTw/Pyu+T0nQ7iofSyqvob
2LlLyPV14RBOzGIWLqrt2tGBUYanKULxIdT+VtSu4gyuloGc84onSLTqU0Ucbc85
nxpY6nc9GxOYWCMDITnr4xiRXQuUuE5V4UVwsFlr+xsEYcsAXdPLzyXzw8S8sL+Z
yPjQbJvoqgE=
=5P5C
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4662-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 24, 2020 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openjdk-11
CVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757
CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781
CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816
CVE-2020-2830
Several vulnerabilities have been discovered in the OpenJDK Java
runtime, resulting in denial of service, insecure TLS handshakes, bypass
of sandbox restrictions or HTTP response splitting attacks.
For the stable distribution (buster), these problems have been fixed in
version 11.0.7+10-3~deb10u1.
We recommend that you upgrade your openjdk-11 packages.
For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6i4QkACgkQEMKTtsN8
TjYOlg/3ZpduOWklosp1sS0za11zUYZHlql01d75lk2HS/u5sEVUNPyVcZ2iC8Bk
zVBfqdJmfoODThzMVws1f9BhTvdaigPd+6stG3eVcU7kHS3IEpSAglKRK9220jDQ
Euz2CXHV2trngO9C6oEg6OOB2wguKyeFT7VlMazyznmesIUr+BnmTpm/t97QOAhj
+OyeXm3YdI7B8idZUNnUS42SKei+vaj1b/Dwi7Bv5YZUgIDAy8J6lRxUYi3EA/MT
Lux7auJiMw9cIx5xqiIIW+3JmLrxXZQdvxWRsZtl5ATNwMf/PDjroWGj1eIRIa66
70dJ4FoY/yHdc4wnadBJKhWUgZbGDpVyclzRx8DBlqYxmJx0BVu10he1j8fMJnp1
72A/gHVtcHDuCLpskgYiJeUqkPq/nMEt85Q2NpnW61sGFJedGIQeAMGKLPsLCmz4
U8L2CaTvtnBFNN82P50rDCuFwKChOJ5OqKuZCBwX6hhJQqgPsSGE7wdUep0UFbm0
9qyEZ+Ph7v42+JcnP3O/Ow9i2Q+rkHcCu//jp+TaeyjZEaIurAAlMz9YN8Tp665n
lXe0nmWPkY+oCDoEglH5GaLkft0lEOT8idGp3ccBhHsQGhyJAq2z0b9OBTUgidjY
99udJWsH8naHMBZL5aHmByQ/73mL/MB+oMRv15ypVrnL2B3KVQ==
=/qDT
-----END PGP SIGNATURE-----