RedHat: RHSA-2021-2210:01 Moderate: EAP XP 1 security update to CVE fixes
Summary
These are CVE issues filed against XP1 releases that have been fixed in the
underlying EAP 7.3.x base, so no changes to the EAP XP1 code base.
Security Fix(es):
* velocity: arbitrary code execution when attacker is able to modify
templates (CVE-2020-13936)
* bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility
possible (CVE-2020-28052)
* jboss-remoting: Threads hold up forever in the EJB server by suppressing
the ack from an EJB client (CVE-2020-35510)
* undertow: Possible regression in fix for CVE-2020-10687 (CVE-2021-20220)
* wildfly: Information disclosure due to publicly accessible privileged
actions in JBoss EJB Client (CVE-2021-20250)
* netty: Information disclosure via the local system temporary directory
(CVE-2021-21290)
* guava: local information disclosure via temporary directory created with
unsafe permissions (CVE-2020-8908)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Summary
Solution
This advisory is informational only. There are no code changes associated
with it. No action is required.
References
https://access.redhat.com/security/cve/CVE-2020-8908 https://access.redhat.com/security/cve/CVE-2020-13936 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2020-35510 https://access.redhat.com/security/cve/CVE-2021-20220 https://access.redhat.com/security/cve/CVE-2021-20250 https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/articles/5734021 https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide https://access.redhat.com/articles/5886431
Package List
Topic
This advisory resolves CVE issues filed against XP1 releases that have beenfixed in the underlying EAP 7.3.x base. There are no changes to the EAP XP1code base.NOTE: This advisory is informational only. There are no code changesassociated with it. No action is required.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Topic
Relevant Releases Architectures
Bugs Fixed
1905796 - CVE-2020-35510 jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client
1906919 - CVE-2020-8908 guava: local information disclosure via temporary directory created with unsafe permissions
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1923133 - CVE-2021-20220 undertow: Possible regression in fix for CVE-2020-10687
1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory
1929479 - CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates