RHSA-2021:0495: Red Hat Security Advisory: Red Hat JBoss Web Server 5.4.1 Security Update

Red Hat JBoss Web Server 5.4.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.4.1 serves as a replacement for Red Hat JBoss Web Server 5.4.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es):

• tomcat: Apache Tomcat HTTP/2 Request mix-up (CVE-2020-13943)
• tomcat: HTTP/2 request header mix-up (CVE-2020-17527)
• tomcat: Information disclosure when using NTFS file system (CVE-2021-24122)
• openssl: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
• CVE-2020-1971: openssl: EDIPARTYNAME NULL pointer de-reference
• CVE-2020-13943: tomcat: Apache Tomcat HTTP/2 Request mix-up
• CVE-2020-17527: tomcat: HTTP/2 request header mix-up
• CVE-2021-24122: tomcat: Information disclosure when using NTFS file system