Headline
RHSA-2021:4861: Red Hat Security Advisory: Red Hat JBoss Web Server 5.6.0 Security release
Updated Red Hat JBoss Web Server 5.6.0 packages are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2021-30640: tomcat: JNDI realm authentication weakness
- CVE-2021-33037: tomcat: HTTP request smuggling when used with a reverse proxy
- CVE-2021-42340: tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat Openshift Container Storage
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
- Red Hat CodeReady Studio
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2021-11-30
Updated:
2021-11-30
RHSA-2021:4861 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat JBoss Web Server 5.6.0 Security release
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
Updated Red Hat JBoss Web Server 5.6.0 packages are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for Red Hat JBoss Web Server 5.5.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.
Security Fix(es):
- tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340)
- tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037)
- tomcat: JNDI realm authentication weakness (CVE-2021-30640)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- JBoss Enterprise Web Server 5 for RHEL 8 x86_64
- JBoss Enterprise Web Server 5 for RHEL 7 x86_64
Fixes
- BZ - 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
- BZ - 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
- BZ - 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS
JBoss Enterprise Web Server 5 for RHEL 8
SRPM
jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.src.rpm
SHA-256: 3b234b8c81a51a9842af6577a3882f86d3af9277825f7ce3b482ad434c75b2e0
jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.src.rpm
SHA-256: e0db4ed0c8c3fad373ab19b4463c9760f95b3c1c76d874a6adba04e04f5e74a7
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.src.rpm
SHA-256: e8883960782c9ef24dd6262b8a41cfbe9377bb39a405a861135151bbdd6fb7a9
x86_64
jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: cf26a446cbcd57bd19c8c548c6d1e9841ea3e2171fa2f77fee390eae7e48820d
jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: 6bac6face73725647c5fd60ebd9bfcaf298a7fae35c594dc4e5a75a9109661c9
jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: 46f7bc04d695077fb6bb36adeaa5dd8db5df0ad1b8b776d28331556cc8dd6049
jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: 89018ec4fda4e300b21c88ca5c8d03be7f3a6ee1e1d6b41e7c0228a164853822
jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: d9eeb4a086f4969210c12183a08d9f08228dddcf95b8bcf2ed69efccb6f7f262
jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: 7002e9c031e71f332f991a8c565d1392272376069a1a9a5ae0607ec1a83ce7a4
jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: 1a56c2742523d887c614daa43d30c1190eda50b8a49c88c34663d2ec4b322ed6
jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.x86_64.rpm
SHA-256: 5e3677f30b36ffae3f643a502e7a1e9e71183d0668954730c0043ff0c7c301ae
jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el8jws.x86_64.rpm
SHA-256: 942264f7c135572535f995f52a72f25a3c8ff6790873651d6b3ca70a19779bdf
jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: 9f5673bb6c4cf058c7c6d2d21c6f8b25c7e3657d8bd4d82eb21dc0eed5efd9de
jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: f80745d3e9e50d5731605cb96fd1834b99817ce71758fa4e889555609417ce9c
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm
SHA-256: bb280b9836512d11fa3dff4e0cdbc4c8ea5aeb18a8fd62ec0ea5f31ecc72b2e5
jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm
SHA-256: 9c477e0c80284cc3fd90be879a05ed98fa4aa2deb51944e450e28feb53e9622c
jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm
SHA-256: a108ab1ef234e25d28903d070518a48a5eb472ea62e5eacfbe7c14cdb85d263c
JBoss Enterprise Web Server 5 for RHEL 7
SRPM
jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.src.rpm
SHA-256: eb70d84bca10085ee64680364836d02e4960687d8dbf00f8e45984a7f31cb2bc
jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.src.rpm
SHA-256: df75a8d0e226787d167027c348ab37a055439e37bca96f82575f11681ff6facb
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.src.rpm
SHA-256: 062553dfc3ab37ffa2f6a6c9a7b179c958a83d66818a5a5dec7c692b4281ece6
x86_64
jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: 9ea95d40528c7797ad6926d254392e17752210c7fc04f9546578a690ff1b67d5
jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: 3ddeddcb61066737c94294c05a1f94f126f92f9eba193f03432da6118ee5088b
jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: a156124e43b53049f77740139c4e3df6941f957563986dc734d57e994f3e8afd
jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: 7e37477417571f8a1a68bb821f28626cec22476b433d5ac929933735ce823ac6
jws5-tomcat-java-jdk11-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: 8fb5384a18656d8a0ddb7d83e63e87959df0073d39c6c97551cb00ab33f1ddef
jws5-tomcat-java-jdk8-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: ffd61462e0e553df86a1bb2c4c05eb687d32cdf7cdef6b26452170bdd73777ad
jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: 8df159173b177969ee01e288a687e4dc05d33d86fc494dcb5ff453135a8ed840
jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: bceef8a8504371910a01ba38e4d2899a86d414042eeb7de9b4e99081fc970894
jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: a3145a0480ee83ad72aaafb1c16552aaf15ca5272384d9d582362382878b3105
jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.x86_64.rpm
SHA-256: 10c1eab9f30515f2444430232d29633efa9f20be6b3d04117a673df56ac4c0b0
jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el7jws.x86_64.rpm
SHA-256: 94aa81170dd3c446e6d2857a85ec5b291754482ca20e6d6132a6020d78d57114
jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: ff599f85b42db992a7ed226adc89bdad4e2e8c6f3e7b5dfe740283fc64c3c7d6
jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: 1626e6885e65b4b6572fcade437ed46836febecff7d8fddd79f8d51dd1943c0d
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm
SHA-256: a556d020a89b8a202bd009b4cbc25d09c6ba772e922b0613e0d577f11bd7f686
jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm
SHA-256: 0d72b62b75e11f631797d2082db468cd26db7336c2ae7e0882b6fe15e49da49b
jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm
SHA-256: 26040a34f6979491fa53c6f6d366fce6fd8dc5d369f71ca0a89e8f7bac59a5da
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.