-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Data Grid 7.3.6 security update
Advisory ID:       RHSA-2020:2321-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2321
Issue date:        2020-05-26
CVE Names:         CVE-2018-10862 CVE-2019-0205 CVE-2019-0210 
                   CVE-2019-10086 CVE-2019-10219 CVE-2019-14540 
                   CVE-2019-16869 CVE-2019-16942 CVE-2019-16943 
                   CVE-2019-17267 CVE-2019-20444 CVE-2019-20445 
                   CVE-2020-7238 
====================================================================
1. Summary:

An update for Red Hat Data Grid is now available.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the
Infinispan project.

This release of Red Hat Data Grid 7.3.6 serves as a replacement for Red Hat
Data Grid 7.3.5 and includes bug fixes and enhancements, which are
described in the Release Notes, linked to in the References section of this
erratum.

Security Fix(es):

* wildfly-core: Path traversal can allow the extraction of .war archives to
write arbitrary files (Zip Slip) (CVE-2018-10862)

* apache-commons-beanutils: does not suppresses the class property in
PropertyUtilsBean by default (CVE-2019-10086)

* netty: HTTP request smuggling by mishandled whitespace before the colon
in HTTP headers (CVE-2019-16869)

* netty: HTTP request smuggling (CVE-2019-20444)

* netty: HttpObjectDecoder.java allows Content-Length header to accompanied
by second Content-Length header (CVE-2019-20445)

* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace
mishandling (CVE-2020-7238)

* thrift: Endless loop when feed with specific input data (CVE-2019-0205)

* thrift: Out-of-bounds read related to TJSONProtocol or
TSimpleJSONProtocol (CVE-2019-0210)

* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)

* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
(CVE-2019-14540)

* jackson-databind: Serialization gadgets in
org.apache.commons.dbcp.datasources.* (CVE-2019-16942)

* jackson-databind: Serialization gadgets in
com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)

* jackson-databind: Serialization gadgets in classes of the ehcache package
(CVE-2019-17267)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

To install this update, do the following:

1. Download the Data Grid 7.3.6 server patch from the customer portal. See
the download link in the References section.
2. Back up your existing Data Grid installation. You should back up
databases, configuration files, and so on.
3. Install the Data Grid 7.3.6 server patch. Refer to the 7.3 Release Notes
for patching instructions.
4. Restart Data Grid to ensure the changes take effect.

4. Bugs fixed (https://bugzilla.redhat.com/):

1593527 - CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)
1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig
1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package
1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*
1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource
1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
1798524 - CVE-2019-20444 netty: HTTP request smuggling

5. References:

https://access.redhat.com/security/cve/CVE-2018-10862
https://access.redhat.com/security/cve/CVE-2019-0205
https://access.redhat.com/security/cve/CVE-2019-0210
https://access.redhat.com/security/cve/CVE-2019-10086
https://access.redhat.com/security/cve/CVE-2019-10219
https://access.redhat.com/security/cve/CVE-2019-14540
https://access.redhat.com/security/cve/CVE-2019-16869
https://access.redhat.com/security/cve/CVE-2019-16942
https://access.redhat.com/security/cve/CVE-2019-16943
https://access.redhat.com/security/cve/CVE-2019-17267
https://access.redhat.com/security/cve/CVE-2019-20444
https://access.redhat.com/security/cve/CVE-2019-20445
https://access.redhat.com/security/cve/CVE-2020-7238
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=patches&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXs0/WtzjgjWX9erEAQj6YBAAprUkyGaWcz+RYX6fFXboPsTp+DryzK86
I0qkM7+AcdotKa113mC6JYxxCdTScRDpEMro4hlhgdk1tkFKarlT0ygK8pQiR0JP
lQ6Orkf267u6Dgl/WcycTYhmWL3ZnBujKf+Lw9hrI5BqHMCHkxUYTJtQoolqfEHR
Kjm84Ztf3xb29Olrcho4AkQQruHdoc9BYDN0cVdLcO4cprYhBFxU7PFXZy6+YtiJ
5QJwfeGnHIQcSLfaGjsLno2K4ZxRfwMX04xWn7hAaYRQV7CIfcPjqj0mCyEVfDND
0a3WbgiMwMvkT6B0E9e7fQy02nlQbPKvsTBcvb4f0a0iJ5fJYljMowcWl0j+7Jtj
CCdlaMEcVnk/ABF5ShP7HdB3gbEnPPQrFMIcpOwYDBxxnpR0PwqL8mGSroJD1Pp9
S2OLc0HxqMEKmiqtJWY74+ltCSIFx0GwdkimhWJ7wnQitpIFRNeWyAMdz9IuqVXX
Tcyys8aKXk+vZAYrCSckD4JFvguUPMcp9XJ7wANkHVlBgW0pcTdbro6jIii/xRZa
v4mWhkNkw9qr3aIkOZ+FdcNxDkhWWq8INV5+4I8ueqebBUibl6KLptcgbs5aUauz
KYhyKl0qcAczrmDGZK3EhvZzCWCm/NfLG8Mv9+YgIdErJg8xgeLceaoKlwDtbsWm
ajI0qVNl6Bs=dbVJ
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-2321:01 Important: Red Hat Data Grid 7.3.6 security update

An update for Red Hat Data Grid is now available

Summary

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.
This release of Red Hat Data Grid 7.3.6 serves as a replacement for Red Hat Data Grid 7.3.5 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.
Security Fix(es):
* wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862)
* apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)
* netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)
* netty: HTTP request smuggling (CVE-2019-20444)
* netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)
* netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
* thrift: Endless loop when feed with specific input data (CVE-2019-0205)
* thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
* jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)
* jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)
* jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)
* jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

To install this update, do the following:
1. Download the Data Grid 7.3.6 server patch from the customer portal. See the download link in the References section. 2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on. 3. Install the Data Grid 7.3.6 server patch. Refer to the 7.3 Release Notes for patching instructions. 4. Restart Data Grid to ensure the changes take effect.

References

https://access.redhat.com/security/cve/CVE-2018-10862 https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10086 https://access.redhat.com/security/cve/CVE-2019-10219 https://access.redhat.com/security/cve/CVE-2019-14540 https://access.redhat.com/security/cve/CVE-2019-16869 https://access.redhat.com/security/cve/CVE-2019-16942 https://access.redhat.com/security/cve/CVE-2019-16943 https://access.redhat.com/security/cve/CVE-2019-17267 https://access.redhat.com/security/cve/CVE-2019-20444 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-7238 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=patches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index

Package List


Severity
Advisory ID: RHSA-2020:2321-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2321
Issued Date: : 2020-05-26
CVE Names: CVE-2018-10862 CVE-2019-0205 CVE-2019-0210 CVE-2019-10086 CVE-2019-10219 CVE-2019-14540 CVE-2019-16869 CVE-2019-16942 CVE-2019-16943 CVE-2019-17267 CVE-2019-20444 CVE-2019-20445 CVE-2020-7238

Topic

An update for Red Hat Data Grid is now available.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1593527 - CVE-2018-10862 wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)

1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS

1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig

1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package

1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*

1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource

1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol

1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data

1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default

1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling

1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

1798524 - CVE-2019-20444 netty: HTTP request smuggling


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved