RHSA-2016:2957 - Security Advisory

Topic

Red Hat JBoss Core Services httpd 2.4.23 is now available from the Red Hat Customer Portal for Solaris and Microsoft Windows systems.

Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat JBoss Core Services httpd 2.4.23 serves as a replacement for JBoss Core Services Apache HTTP Server 2.4.6.

Security Fix(es):

• This update fixes several flaws in OpenSSL. (CVE-2014-8176, CVE-2015-0209, CVE-2015-0286, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-3216, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2177, CVE-2016-2178, CVE-2016-2842)
• This update fixes several flaws in libxml2. (CVE-2016-1762, CVE-2016-1833, CVE-2016-1834, CVE-2016-1835, CVE-2016-1836, CVE-2016-1837, CVE-2016-1838, CVE-2016-1839, CVE-2016-1840, CVE-2016-3627, CVE-2016-3705, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483)
• This update fixes three flaws in curl. (CVE-2016-5419, CVE-2016-5420, CVE-2016-7141)
• This update fixes two flaws in httpd. (CVE-2014-3523, CVE-2015-3185)
• This update fixes two flaws in mod_cluster. (CVE-2016-4459, CVE-2016-8612)
• A buffer overflow flaw when concatenating virtual host names and URIs was fixed in mod_jk. (CVE-2016-6808)
• A memory leak flaw was fixed in expat. (CVE-2012-1148)

Red Hat would like to thank the OpenSSL project for reporting CVE-2014-8176, CVE-2015-0286, CVE-2016-2108, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-0702, CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842. The CVE-2016-4459 issue was discovered by Robert Bost (Red Hat). Upstream acknowledges Stephen Henson (OpenSSL development team) as the original reporter of CVE-2015-0286; Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters of CVE-2016-2108; Guido Vranken as the original reporter of CVE-2016-2105, CVE-2016-2106, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842; Juraj Somorovsky as the original reporter of CVE-2016-2107; Yuval Yarom (University of Adelaide and NICTA), Daniel Genkin (Technion and Tel Aviv University), and Nadia Heninger (University of Pennsylvania) as the original reporters of CVE-2016-0702; and Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705.

See the corresponding CVE pages linked to in the References section for more information about each of the flaws listed in this advisory.

Solution

The References section of this erratum contains a download link (you must log in to download the update). Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

• Red Hat JBoss Core Services Text-Only Advisories x86_64

Fixes

• BZ - 801648 - CVE-2012-1148 expat: Memory leak in poolGrow
• BZ - 1121519 - CVE-2014-3523 httpd: WinNT MPM denial of service
• BZ - 1196737 - CVE-2015-0209 openssl: use-after-free on invalid EC private key import
• BZ - 1202366 - CVE-2015-0286 openssl: invalid pointer use in ASN1_TYPE_cmp()
• BZ - 1227574 - CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression
• BZ - 1228611 - CVE-2014-8176 OpenSSL: Invalid free in DTLS
• BZ - 1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
• BZ - 1288320 - CVE-2015-3194 OpenSSL: Certificate verify crash with missing PSS parameter
• BZ - 1288322 - CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak
• BZ - 1288326 - CVE-2015-3196 OpenSSL: Race condition handling PSK identify hint
• BZ - 1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code
• BZ - 1310599 - CVE-2016-0702 OpenSSL: Side channel attack on modular exponentiation
• BZ - 1311880 - CVE-2016-0797 OpenSSL: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
• BZ - 1312219 - CVE-2016-0799 OpenSSL: Fix memory issues in BIO_*printf functions
• BZ - 1314757 - CVE-2016-2842 openssl: doapr_outch function does not verify that certain memory allocation succeeds
• BZ - 1319829 - CVE-2016-3627 libxml2: stack exhaustion while parsing xml files in recovery mode
• BZ - 1330101 - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data
• BZ - 1331402 - CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder
• BZ - 1331426 - CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check
• BZ - 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow
• BZ - 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow
• BZ - 1332443 - CVE-2016-3705 libxml2: stack overflow before detecting invalid XML file
• BZ - 1332820 - CVE-2016-4483 libxml2: out-of-bounds read
• BZ - 1338682 - CVE-2016-1833 libxml2: Heap-based buffer overread in htmlCurrentChar
• BZ - 1338686 - CVE-2016-4447 libxml2: Heap-based buffer underreads due to xmlParseName
• BZ - 1338691 - CVE-2016-1835 libxml2: Heap use-after-free in xmlSAX2AttributeNs
• BZ - 1338696 - CVE-2016-1837 libxml2: Heap use-after-free in htmlPArsePubidLiteral and htmlParseSystemiteral
• BZ - 1338700 - CVE-2016-4448 libxml2: Format string vulnerability
• BZ - 1338701 - CVE-2016-4449 libxml2: Inappropriate fetch of entities content
• BZ - 1338702 - CVE-2016-1836 libxml2: Heap use-after-free in xmlDictComputeFastKey
• BZ - 1338703 - CVE-2016-1839 libxml2: Heap-based buffer overread in xmlDictAddString
• BZ - 1338705 - CVE-2016-1838 libxml2: Heap-based buffer overread in xmlPArserPrintFileContextInternal
• BZ - 1338706 - CVE-2016-1840 libxml2: Heap-buffer-overflow in xmlFAParserPosCharGroup
• BZ - 1338708 - CVE-2016-1834 libxml2: Heap-buffer-overflow in xmlStrncat
• BZ - 1338711 - CVE-2016-1762 libxml2: Heap-based buffer-overread in xmlNextChar
• BZ - 1341583 - CVE-2016-4459 mod_cluster: Buffer overflow in mod_manager when sending request with long JVMRoute
• BZ - 1341705 - CVE-2016-2177 openssl: Possible integer overflow vulnerabilities in codebase
• BZ - 1343400 - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
• BZ - 1362183 - CVE-2016-5419 curl: TLS session resumption client cert bypass
• BZ - 1362190 - CVE-2016-5420 curl: Re-using connection with wrong client cert
• BZ - 1373229 - CVE-2016-7141 curl: Incorrect reuse of client certificates
• BZ - 1382352 - CVE-2016-6808 mod_jk: Buffer overflow when concatenating virtual host name and URI
• BZ - 1387605 - CVE-2016-8612 JBCS mod_cluster: Protocol parsing logic error

CVEs

• CVE-2012-0876
• CVE-2012-1148
• CVE-2014-3523
• CVE-2014-8176
• CVE-2015-0209
• CVE-2015-0286
• CVE-2015-3185
• CVE-2015-3194
• CVE-2015-3195
• CVE-2015-3196
• CVE-2015-3216
• CVE-2016-0702
• CVE-2016-0705
• CVE-2016-0797
• CVE-2016-0799
• CVE-2016-1762
• CVE-2016-1833
• CVE-2016-1834
• CVE-2016-1835
• CVE-2016-1836
• CVE-2016-1837
• CVE-2016-1838
• CVE-2016-1839
• CVE-2016-1840
• CVE-2016-2105
• CVE-2016-2106
• CVE-2016-2107
• CVE-2016-2108
• CVE-2016-2109
• CVE-2016-2177
• CVE-2016-2178
• CVE-2016-2842
• CVE-2016-3627
• CVE-2016-3705
• CVE-2016-4447
• CVE-2016-4448
• CVE-2016-4449
• CVE-2016-4459
• CVE-2016-4483
• CVE-2016-5419
• CVE-2016-5420
• CVE-2016-6808
• CVE-2016-7141
• CVE-2016-8612

References

• https://access.redhat.com/security/updates/classification/#important
• https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp&downloadType=distributions&version=2.4.23
• https://access.redhat.com/documentation/en/red-hat-jboss-core-services-apache-http-server/version-2.4.23/apache-http-server-2423-release-notes/