Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2017:1413 - Security Advisory
Issued:
2017-06-07
Updated:
2017-06-07

RHSA-2017:1413 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 7

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Core Services on RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)
  • It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)
  • It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)
  • A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)
  • A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)
  • It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)
  • A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 7 x86_64
  • Red Hat JBoss Core Services 1 for RHEL 7 ppc64

Fixes

  • BZ - 1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth
  • BZ - 1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
  • BZ - 1401528 - CVE-2016-8740 httpd: Incomplete handling of LimitRequestFields directive in mod_http2
  • BZ - 1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto
  • BZ - 1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest
  • BZ - 1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
  • BZ - 1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery

CVEs

  • CVE-2016-0736
  • CVE-2016-2161
  • CVE-2016-6304
  • CVE-2016-7056
  • CVE-2016-8610
  • CVE-2016-8740
  • CVE-2016-8743

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/documentation/en/red-hat-jboss-core-services/
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-httpd-2.4.23-120.jbcs.el7.src.rpm SHA-256: 74f1258dbf75fc375b9b2586929ec98fa79c5b02b7bba47edbc066d03e917415
jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7.src.rpm SHA-256: b614918437163e81f202ba7c9065016d5d0568ab366219699ce71753931d5896
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.src.rpm SHA-256: ee99051a9e1d5712486418bb479f7b68bea75f20338a8645963456cc4c282d5c
x86_64
jbcs-httpd24-httpd-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: 3c9d9be13c509086a21a53d103166e3d0d987bfa8d262555c56f6f452250b907
jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: ad9541a38955bdb4bbb36c05c540ea9fc68267ab0bed21c9225b16eb2d29d1f5
jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: f09674d0f6d797603fb04a28b06703d17363a93f6c0a607fae1d3ab141f69313
jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: c0bd899ac3070112ba724ce5d1cc51a1b6b06bca4b75656a6781efc6d7c957dc
jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el7.noarch.rpm SHA-256: defac15d8471d87dfa7bc610f7f268e5253f9822ff8038c6169bf1f9425dcc6f
jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: 224185b1d6260fbe4ed1002055f83b8b0ca37f9ae6a11d3e0ff081c8ce2886d5
jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: 427e93c77b8c868baf3f341f1eb0614f0877357fbdbb837c9ab6514461a71c4f
jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: c6153bc62014691701887f7063118680a1189ca925c247809e64026c37aa4146
jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: 880d9bbe09bd924ce464aeffbf44357597e68cbd42e46d240227da69b5e30f76
jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7.x86_64.rpm SHA-256: 7816dcea34ce487525eb0179d05efe59a93547b8f2b6ede97ec6bb47c33e2fcd
jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el7.x86_64.rpm SHA-256: dada1d2ba061fe1e8cd6927d0eb0ecdb21c38e43037adeed570f5b8ea230f6cf
jbcs-httpd24-mod_session-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: 9f6de6307c43bb1b4e6ea03dcfeac0387b558b0440518da9d103d464f13edb0a
jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el7.x86_64.rpm SHA-256: 12033512b2385d588d296b000906985b304f380923b41c4f67f6142acb3eab2c
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.x86_64.rpm SHA-256: 1eeb3684de60e2f202f6e3e9f3916f090e2a746f8648e6eab500d81bf03de20e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.x86_64.rpm SHA-256: c9718b67b4c7793f612067aca64fea6fea9517cc050ca1d1bf57fbdbf2ce8e8e
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.x86_64.rpm SHA-256: 83f60d53eaadeecd3304fe1f9dccead3387e98703c8a24869a4d88e17ac33604
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.x86_64.rpm SHA-256: ee2f2e9d5aeda73d21fbd95e2905f869ec8cb361c041c7898c575a5682636dc3
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.x86_64.rpm SHA-256: 17174dda67b0cb3e85b8429df0df7109f4f01cf063b3058fd208ac6041022c45
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.x86_64.rpm SHA-256: 6b08a0c3fccb167a290506dad05d8589bb6e96f6f2e3fc0da3b1f916e4729a23
ppc64
jbcs-httpd24-httpd-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: 911d09b5f25f8e63d7cfca725751e46c8dc73c6638631ae787e6d6cb891ada4c
jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: f8b1ed147dd6c97f0f00b9c78cdf7e2fcc5c90441df80e45b9c71b6a7568bb75
jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: 6a8fdd3193f4f01c9df46417f7ec55ab6f20bb759b7c4f1753fdc3c80c7c50a2
jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: e40776d9ec23845a48e7acfdde4ab3d3abfb8c4d0edfedeb9657399ea36a10c2
jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el7.noarch.rpm SHA-256: defac15d8471d87dfa7bc610f7f268e5253f9822ff8038c6169bf1f9425dcc6f
jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: 3b9814d5d774d361bf7dc45cefcbc3a44b1a9a7637162144b06831c8bcdd1096
jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: 3d3c7727e7f4b17eb7a09e1e57464fc060a2c84b3595c73ba6ad69fc7da89735
jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: cc958401c83c58e5f3c8bbea898ea05a1fc67d3d5ae7d82b51b320e36e3d9ba6
jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: 04a4a7eed1cb15cc2b74f7e0f4bffb2669362073885efed004bcb53885151611
jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7.ppc64.rpm SHA-256: 43b2f9e5d651c4643f21eda4f1c6eb648560c6814ab71baa3d32ae32819226c4
jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el7.ppc64.rpm SHA-256: 81f3c38b5b8bcb95f60eac8a19285566211a4531b97327ac39bb049d1f9b40eb
jbcs-httpd24-mod_session-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: 21b229bf05c3f957af16f09c5ed35f335db8c7d3f85a771e4bc85fc315897f5a
jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el7.ppc64.rpm SHA-256: 91704374441f04fba0ff673754d85add73dc37509dced18c8cdadfc9cc22f3dd
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.ppc64.rpm SHA-256: 7a06abfdf44e87c171b70ab52ec9ae500261e996f3a8d883db2efea00a04760a
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.ppc64.rpm SHA-256: 9ca3993cb623872543ce7f6c9598550ff21fe78824d2c5f6926bfab5c0384437
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.ppc64.rpm SHA-256: 1ae458421d9383fb7e414ffeeb19e7671d5c35cb112b32f4a7b27161dafcae12
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.ppc64.rpm SHA-256: 1821ad48725b9ee242e8c50d2c124ba2b8327b4a05a6e2d13230140f27a546d6
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.ppc64.rpm SHA-256: d696886fef17eabeebed18ecfbf16281738cf4ada8513f01883be150890f07ea
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.ppc64.rpm SHA-256: 11dd1fdbb9b26f740b990b77b0690ea9baa9dfdd5f70fa2765778c28a0c6659d

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter