Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-1185-01

Red Hat Security Advisory 2023-1185-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.

Packet Storm
#vulnerability#red_hat#java#ssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.4 security update
Advisory ID: RHSA-2023:1185-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1185
Issue date: 2023-03-09
CVE Names: CVE-2023-1108
====================================================================

  1. Summary:

A security update is now available for Red Hat JBoss Enterprise Application
Platform 7.4.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch
Red Hat JBoss EAP 7.4 for RHEL 8 - noarch
Red Hat JBoss EAP 7.4 for RHEL 9 - noarch

  1. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java
applications based on the WildFly application runtime.

This asynchronous patch is a security update for Red Hat JBoss Enterprise
Application Platform 7.4.

Security Fix(es):

  • undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgements, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close

  1. Package List:

Red Hat JBoss EAP 7.4 for RHEL 7 Server:

Source:
eap7-undertow-2.2.22-1.SP3_redhat_00002.1.el7eap.src.rpm
eap7-wildfly-7.4.9-6.GA_redhat_00004.1.el7eap.src.rpm

noarch:
eap7-undertow-2.2.22-1.SP3_redhat_00002.1.el7eap.noarch.rpm
eap7-wildfly-7.4.9-6.GA_redhat_00004.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk11-7.4.9-6.GA_redhat_00004.1.el7eap.noarch.rpm
eap7-wildfly-java-jdk8-7.4.9-6.GA_redhat_00004.1.el7eap.noarch.rpm
eap7-wildfly-javadocs-7.4.9-6.GA_redhat_00004.1.el7eap.noarch.rpm
eap7-wildfly-modules-7.4.9-6.GA_redhat_00004.1.el7eap.noarch.rpm

Red Hat JBoss EAP 7.4 for RHEL 8:

Source:
eap7-undertow-2.2.22-1.SP3_redhat_00002.1.el8eap.src.rpm
eap7-wildfly-7.4.9-6.GA_redhat_00004.1.el8eap.src.rpm

noarch:
eap7-undertow-2.2.22-1.SP3_redhat_00002.1.el8eap.noarch.rpm
eap7-wildfly-7.4.9-6.GA_redhat_00004.1.el8eap.noarch.rpm
eap7-wildfly-javadocs-7.4.9-6.GA_redhat_00004.1.el8eap.noarch.rpm
eap7-wildfly-modules-7.4.9-6.GA_redhat_00004.1.el8eap.noarch.rpm

Red Hat JBoss EAP 7.4 for RHEL 9:

Source:
eap7-undertow-2.2.22-1.SP3_redhat_00002.1.el9eap.src.rpm
eap7-wildfly-7.4.9-6.GA_redhat_00004.1.el9eap.src.rpm

noarch:
eap7-undertow-2.2.22-1.SP3_redhat_00002.1.el9eap.noarch.rpm
eap7-wildfly-7.4.9-6.GA_redhat_00004.1.el9eap.noarch.rpm
eap7-wildfly-javadocs-7.4.9-6.GA_redhat_00004.1.el9eap.noarch.rpm
eap7-wildfly-modules-7.4.9-6.GA_redhat_00004.1.el9eap.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2023-1108
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZApNXtzjgjWX9erEAQglug//bHLbuq0YicJor7WmFSWrPeZw2Ec7teRr
8BfgrLnd91klImfyVAOxPRox5d3LfFraB120pVUDgkTe9OoWqwcNRpjCVwUFYpwf
DRyiR0OR45bhEYqBC3TpZhsxYeNBNU2cbS5C3oO1cleydv9jtOPK9dZtAVXVZ1By
wMv26yXlA62xfnweDtadprfcKBhkCwQJGKmqnZNL09cpoihLSs+4DB9WuiK+aK+D
rmNlxtSFjIpvpiaaku8Px8VgNsSVN33A9KxGtD+YpBz59XVnvRa6C1fjIltf583U
pSRn4jHWR6M8Z2E8jAxU7HQMqgDJ4ywAiLQMBjcxe9ryFad0E4SrZFzuVHJUFhD8
0Fyzx3x5S0LwAMK+KxKrcQrw7rJ1PyLAnQHDHAMt3z3EkpYBhgTwQs/GV9FK4eKn
XnZM9LrW0fQPIwbnz5NXtDbC4SLZiNfvt5mb/1Ubsp6rS8yyz9xXGWsrV8w4x4Sr
NDuyTiOLsPqlsfzOQn/Mxl1abpTP+HOm+XnmWSCaveA5xvZDFvuMeJ2VWE0vwfj7
alms9t5MFcG2Ogbu4a/Vq+jRy6JH3in17SI9V5aGlb+N2WlreVrpGC2RwOnWMP6w
ym3ti55YYpKa44rQ4AiYTavB32zrFiwzpyNdkQT0jFgYRUjI/ftwpYIJiw28+DkO
Y4OMbcHnS9w=I/dI
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

GHSA-m4mm-pg93-fv78: Undertow denial of service vulnerability

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

Red Hat Security Advisory 2023-4612-01

Red Hat Security Advisory 2023-4612-01 - Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.7.13 serves as a replacement for Red Hat support for Spring Boot 2.7.12, and includes security, bug fixes and enhancements. For more information, see the release notes linked in the References section. Issues addressed include bypass, code execution, denial of service, and deserialization vulnerabilities.

RHSA-2023:3954: Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update

A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2012-5783: It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or su...

Red Hat Security Advisory 2023-3885-01

Red Hat Security Advisory 2023-3885-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.4 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a cross site scripting vulnerability.

Red Hat Security Advisory 2023-3892-01

Red Hat Security Advisory 2023-3892-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.4 serves as a replacement for Red Hat Single Sign-On 7.6.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, and deserialization vulnerabilities.

Red Hat Security Advisory 2023-3884-01

Red Hat Security Advisory 2023-3884-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.4 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a cross site scripting vulnerability.

Red Hat Security Advisory 2023-3888-01

Red Hat Security Advisory 2023-3888-01 - Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. This erratum releases a new image for Red Hat Single Sign-On 7.6.4 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and within the OpenShift Container Platform 4.12 cloud computing Platform-as-a-Service for on-premise or private cloud deployments, aligning with the standalone product release. Issues addressed include a cross site scripting vulnerability.

Red Hat Security Advisory 2023-3883-02

Red Hat Security Advisory 2023-3883-02 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.4 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a cross site scripting vulnerability.

RHSA-2023:3883: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.4 security update on RHEL 7

New Red Hat Single Sign-On 7.6.4 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. * CVE-2023-1108: A flaw was found in underto...

RHSA-2023:3892: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.4 security update

A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-39144: A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. * CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-sit...

RHSA-2023:3884: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.4 security update on RHEL 8

New Red Hat Single Sign-On 7.6.4 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. * CVE-2023-1108: A flaw was found in underto...

RHSA-2023:3885: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.4 security update on RHEL 9

New Red Hat Single Sign-On 7.6.4 packages are now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. * CVE-2023-1108: A flaw was found in underto...

RHSA-2023:3888: Red Hat Security Advisory: Red Hat Single Sign-On 7.6.4 for OpenShift image security enhancement update

A new image is available for Red Hat Single Sign-On 7.6.4, running on OpenShift Container Platform 3.10 and 3.11, and 4.12.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4361: Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. * CVE-2023...

Red Hat Security Advisory 2023-1516-01

Red Hat Security Advisory 2023-1516-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

Red Hat Security Advisory 2023-1514-01

Red Hat Security Advisory 2023-1514-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

Red Hat Security Advisory 2023-1513-01

Red Hat Security Advisory 2023-1513-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

Red Hat Security Advisory 2023-1512-01

Red Hat Security Advisory 2023-1512-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

RHSA-2023:1516: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.10 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE). * CVE-2022-4492: A flaw was found in undertow. The undertow c...

Red Hat Security Advisory 2023-1184-01

Red Hat Security Advisory 2023-1184-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.

RHSA-2023:1185: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1108: A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

RHSA-2023:1184: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update

A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-1108: A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution