RHSA-2020:2333: Important: EAP Continuous Delivery Technical Preview Release 19 security update

Red Hat JBoss Enterprise Application Platform CD19 is a platform for Java applications based on the WildFly application runtime.This release of Red Hat JBoss Enterprise Application Platform CD19 includes bug fixes and enhancements. Security Fix(es): apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086) infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174) undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869) netty: HTTP request smuggling (CVE-2019-20444) netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445) undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238) jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider..RmiProvider (CVE-2020-10968) jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969) jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111) jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112) jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113) thrift: Endless loop when feed with specific input data (CVE-2019-0205) thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419) cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540) wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892) jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893) jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335) jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources. (CVE-2019-16942) jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943) jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267) jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db. (CVE-2019-17531) cxf: reflected XSS in the services listing page (CVE-2019-17573) jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330) resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547) jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672) RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688) Soteria: security identity corruption across concurrent threads (CVE-2020-1732) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.