RHSA-2020:2780

Description

Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.23 security update

CVSS Metrics

• v3.1•HIGH•Score: 7.6CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Affected Systems

• redhat•glassfish-jsf12-eap6

  < 0:1.2.15-11.b01_SP2_redhat_2.1.ep6.el7

• redhat•hornetq

  < 0:2.3.25-29.SP31_redhat_00001.1.ep6.el7

• redhat•ironjacamar-common-api-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-common-impl-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-common-spi-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-core-api-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-core-impl-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-deployers-common-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-jdbc-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-spec-api-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•ironjacamar-validator-eap6

  < 0:1.0.44-1.Final_redhat_00001.1.ep6.el7

• redhat•jbosgi-repository

  < 0:2.1.0-3.Final_redhat_3.1.ep6.el7

• redhat•jboss-as-appclient

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-cli

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-client-all

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-clustering

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-cmp

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-configadmin

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-connector

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-controller

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-controller-client

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-core-security

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-deployment-repository

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-deployment-scanner

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-domain-http

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-domain-management

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-ee

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-ee-deployment

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-ejb3

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-embedded

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-host-controller

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jacorb

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jaxr

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jaxrs

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jdr

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jmx

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jpa

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jsf

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-jsr77

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-logging

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-mail

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-management-client-content

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-messaging

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-modcluster

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-naming

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-network

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-osgi

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-osgi-configadmin

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

• redhat•jboss-as-osgi-service

  < 0:7.5.23-3.Final_redhat_00002.1.ep6.el7

Showing first 50 affected entries in server-rendered view.

References (26)

• https://access.redhat.com/errata/RHSA-2020:2780
• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1700855
• https://bugzilla.redhat.com/show_bug.cgi?id=1708467
• https://bugzilla.redhat.com/show_bug.cgi?id=1710434
• https://bugzilla.redhat.com/show_bug.cgi?id=1770615
• https://bugzilla.redhat.com/show_bug.cgi?id=1772542
• https://bugzilla.redhat.com/show_bug.cgi?id=1806398
• https://bugzilla.redhat.com/show_bug.cgi?id=1816579
• https://bugzilla.redhat.com/show_bug.cgi?id=1816629
• https://bugzilla.redhat.com/show_bug.cgi?id=1819214
• https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2780.json
• https://access.redhat.com/security/cve/CVE-2019-14885
• https://www.cve.org/CVERecord?id=CVE-2019-14885
• https://nvd.nist.gov/vuln/detail/CVE-2019-14885
• https://access.redhat.com/security/cve/CVE-2020-1938
• https://www.cve.org/CVERecord?id=CVE-2020-1938
• https://nvd.nist.gov/vuln/detail/CVE-2020-1938
• https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/
• https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
• https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
• https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
• https://www.cnvd.org.cn/webinfo/show/5415
• https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog