Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2017:1414 - Security Advisory
Issued:
2017-06-07
Updated:
2017-06-07

RHSA-2017:1414 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 6

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Core Services on RHEL 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)
  • It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)
  • It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)
  • A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)
  • A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)
  • It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)
  • A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 6 x86_64
  • Red Hat JBoss Core Services 1 for RHEL 6 ppc64
  • Red Hat JBoss Core Services 1 for RHEL 6 i386

Fixes

  • BZ - 1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth
  • BZ - 1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
  • BZ - 1401528 - CVE-2016-8740 httpd: Incomplete handling of LimitRequestFields directive in mod_http2
  • BZ - 1406744 - CVE-2016-0736 httpd: Padding Oracle in Apache mod_session_crypto
  • BZ - 1406753 - CVE-2016-2161 httpd: DoS vulnerability in mod_auth_digest
  • BZ - 1406822 - CVE-2016-8743 httpd: Apache HTTP Request Parsing Whitespace Defects
  • BZ - 1412120 - CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery

CVEs

  • CVE-2016-0736
  • CVE-2016-2161
  • CVE-2016-6304
  • CVE-2016-7056
  • CVE-2016-8610
  • CVE-2016-8740
  • CVE-2016-8743

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/documentation/en/red-hat-jboss-core-services/
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat JBoss Core Services 1 for RHEL 6

SRPM
jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.src.rpm SHA-256: 2533608cb55441981a2c732611c9ba7224b72e62e030b82a1b52540e327fe4fb
jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.src.rpm SHA-256: de07a27a2684ecf41fc952cad2ebb52f86e14c6d8856dcc9a0a2c037a4c99290
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.src.rpm SHA-256: a178b3c166fd34a8267256e16735860c4af4d3b79c4c6eeb424d8847c9cdf667
x86_64
jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: e36d8895b1a4e115bc81e6b79bb1ea49fcbda5c000ed4fc38da557f7210c60e7
jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: b6362e6d3381d9d81439640f157f735797487045d70aa7a8ebd4cb1e99f5f562
jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: 74cac01fae5d6b9a3a434dedafdd9a8ddfc5dd0baca7752d39669a8518f54431
jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: 1ea4f130bc5fbd1eaa271353ca5ea7c8ff3eecc1a1c5aeab75ac1b70f2f226f3
jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el6.noarch.rpm SHA-256: 3e11bb657d1b26b80ca2bbccd7429720333e35e726f7a057713130f794013d21
jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: 8c9df8026a283ab0f61986ddd3a92005976c04e1a62d5391e08fd1854cc136e0
jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: 347a3943e28c35660788a2bec69b03aa799d00a596ac107d01da39ee515cefd8
jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: d6294893f0a4fc6d325faa9fc8a1111635d7e2d7ae52b51540a22a98bba6fb6b
jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: 4cda46df51766eb2495e2f158edefc850b53141b9f271d1df5c92189ece99e90
jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.x86_64.rpm SHA-256: a74a6178770215e08cf26491ce49f0b80c4481a2c405dfef6aecee95ef8c51a0
jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el6.x86_64.rpm SHA-256: 86ca0481a52e663595746f1182468c96b5fb27d8e63516643c538d18c5932b1d
jbcs-httpd24-mod_session-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: c17627cfca50cadb21cc17d0028eb22838d17bd30f62fd5289381121e4cc86d9
jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el6.x86_64.rpm SHA-256: a6adb58273fe5463b44aeab79273adf4479b29736972ecff2b8032e79f511188
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.x86_64.rpm SHA-256: 18d0e2714b07ac3657e1a7e5e984174003634d0dcd5f6139615d1b9338f82457
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.x86_64.rpm SHA-256: 9b4f1f0ca860b11dab3a50ac4bf574c1a4ce3fc3c931f428fc7ac06e0debf348
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.x86_64.rpm SHA-256: ee8db2a8e36302d4ae6859ecb6821b991efd103940becb9700f160dc0f6992d3
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.x86_64.rpm SHA-256: eb950ce95cf94c2b2af79b85559ade42adf07d64cdc9a9f96e0fb48ea76b6d9b
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.x86_64.rpm SHA-256: e658108990ae3a9015e54a142450426873c4475f6557f0078146d4352ac157dd
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.x86_64.rpm SHA-256: ef5a7fc42691f2610057c3623c493a1c8b2e9f9c6bd2f6e0f7397c4561dee811
ppc64
jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: 8ed58129464c87f2bf6ea07cf433c1f76e5e6c0765ded08b48c060756d69bb53
jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: b50807234bc35aef5cb3d2ef7914c6f079d6f771d6ce760ba8b7c5b305d16eb4
jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: 1bdeac7de8d20f93d87073bf494550162bd52877f40bc4ffba15ade8963b1abb
jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: 9ce8149c8cbaee473d58d653bebafbd84f054c83a0eaade54e43b47d3d593dab
jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el6.noarch.rpm SHA-256: 3e11bb657d1b26b80ca2bbccd7429720333e35e726f7a057713130f794013d21
jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: 4fe32e6e968c0f4b835c31ec9b251f15f9ee7f5792b31167579a0debaf4e77a3
jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: 19a1aa06eeaeefe8649a0f6d2bae31ccc47f05cea2327dec55c64093d45ba241
jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: cf8c2c6fc49b3e27f5028d3f510d1c26344f8b635d30fac06e4d365f9aa09b09
jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: b4d558ece064edea89cba360601f61fa7ecf43b4e85230149aea47ffb9cab128
jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.ppc64.rpm SHA-256: 9692e0f234c6225d2c061e9e8e0b036b97fdd2d911cb7c753e3b521bc1579730
jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el6.ppc64.rpm SHA-256: 479d76a90f3248c0e23a8ee7adf6d0b75522d05e9f635fab3749dbd229711a86
jbcs-httpd24-mod_session-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: 103bdc20a6f156c26d83eca1e6025c8ae1520cf060f6f902c1f7498de7760926
jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el6.ppc64.rpm SHA-256: 0bb9fadb6317761e571b2cc78902c6be970a87673ddc805505ab124f13615f82
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.ppc64.rpm SHA-256: b8fdaae86933a410da29e164eefbc3137301dad4e94782cf396ede04eb1a069e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.ppc64.rpm SHA-256: a48f6af3f09c63ad8f32072528a2b051c5de6c7e0f31301ddb68720f1447dcce
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.ppc64.rpm SHA-256: 319cdf1ff6b64428597b47178e67b77d76a23589b0cafcd0f2c505f6e8c75208
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.ppc64.rpm SHA-256: de17bab283d1f9e1942293cb744c560a51bd3cf7c571230e29e527587dd5c261
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.ppc64.rpm SHA-256: f39c224e936a72be38cdd8a84d34f7c72456aafbeb4528fb4793e93264d81a29
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.ppc64.rpm SHA-256: 289e4f3a980f2cbdedd6e750e21d70e7b9a0ff466b0817a2c18f5390250b78d1
i386
jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.i686.rpm SHA-256: 382ec9b67f3ba4e29a1b976a94c219d471fba82a9e554a06d24054f0beaadc3e
jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el6.i686.rpm SHA-256: c304bf4a1f1a99191770a0e6ad6456f51711f3fa7c86e28eaa9cde163a31eea6
jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el6.i686.rpm SHA-256: 864e7069ed4798d04251d17cb24e0410bb5e16485d0ee456966fcd886a7a37ae
jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el6.i686.rpm SHA-256: e76e27c945e84716bb647fa9b1da30c58c9023edfcb75b24a36fc42329363d9c
jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el6.noarch.rpm SHA-256: 3e11bb657d1b26b80ca2bbccd7429720333e35e726f7a057713130f794013d21
jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el6.i686.rpm SHA-256: 7dd41bc98017602a99840b51b5d60b725af84b376c92bd52c331e6328f955391
jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el6.i686.rpm SHA-256: e51ca40e37025d15791f54bdee54d80ae65dffdb30a499a083d24aca2e8db26e
jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el6.i686.rpm SHA-256: 8c72d99201de91d5e9d0a5fb881d79d2d47c73097667a9106508e7e86efa54aa
jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el6.i686.rpm SHA-256: bce999cecd73c34c599df1544c3cac62a70eb2b538cf7408ed5221ade4439eaf
jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.i686.rpm SHA-256: dd7762aac561452fe5efbe8f0720314534348b653eda3ae32a781f884c31d7fe
jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el6.i686.rpm SHA-256: b6726722bb0262eef129ce1f24f550882850bef56379ef3dbbd2b07647517c58
jbcs-httpd24-mod_session-2.4.23-120.jbcs.el6.i686.rpm SHA-256: d5f2e06a6106c462340a74a530671216127e5614993068083067952cd2d12694
jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el6.i686.rpm SHA-256: d3f0d0376a7905342dd88d3f11188e67f41a154273b37f66b9726b7abe693591
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.i686.rpm SHA-256: 12fdc8388bd656ef5ae81e75ff67adaea4242e5e8ab46eebaf27980faaaa566e
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.i686.rpm SHA-256: 0d721eec463da294dc6524e9b36407128793c8799997457d36623754809fffba
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.i686.rpm SHA-256: b4318bc1df34802f3fb7e271a46b77f45a8d10b21617e685492c7c7ebc2aea1f
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.i686.rpm SHA-256: efffa323986b0967be112446db44db639f6230d22e6ab1a63792a981124c13d2
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.i686.rpm SHA-256: e2df36a03c46e355b000db5a9bdce4f4d296d5cf40a0e21ff0a8087cbfad879e
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.i686.rpm SHA-256: 6480af7ff4572f198c667a62346079af57c3076687f324dea6b4ecf06243dc30

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility