RHSA-2020:2515: Important: Red Hat JBoss Enterprise Application Platform 7.3.1 Security update
Red Hat JBoss Enterprise Application Platform 7 is a platform for Javaapplications based on the WildFly application runtime.This release of Red Hat JBoss Enterprise Application Platform 7.3.1 serves as areplacement for Red Hat JBoss Enterprise Application Platform 7.3.0, andincludes bug fixes and enhancements. See the Red Hat JBoss EnterpriseApplication Platform 7.3.1 Release Notes for information about the mostsignificant bug fixes and enhancements included in this release.Security Fix(es): cxf: reflected XSS in the services listing page (CVE-2019-17573) cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695) cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226) smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729) resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688) jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840) undertow: invalid HTTP request with large chunk size (CVE-2020-10719) jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546) jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547) jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548) undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205) libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210) wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887) jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371) For more details about the security issue(s), including the impact, a CVSSscore, and other related information, see the CVE page(s) listed in theReferences section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2020:2515?
The severity of RHSA-2020:2515 is classified as critical.
How do I fix RHSA-2020:2515?
To fix RHSA-2020:2515, update to Red Hat JBoss Enterprise Application Platform version 7.3.1 or later.
What vulnerabilities does RHSA-2020:2515 address?
RHSA-2020:2515 addresses multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.3.0.
Is RHSA-2020:2515 applicable to all versions of JBoss?
RHSA-2020:2515 is specifically applicable to Red Hat JBoss Enterprise Application Platform version 7.3.0.
What are the risks of not applying the RHSA-2020:2515 update?
Not applying the RHSA-2020:2515 update may leave your application vulnerable to exploits that can lead to unauthorized access or data breaches.