Issued:
2017-09-13
Updated:
2017-09-13

RHSA-2017:2709 - Security Advisory

Synopsis

Important: Red Hat JBoss Core Services security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for JBoss Core Services on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2 serves as an update for Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)
  • It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)
  • A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)

Red Hat would like to thank OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 7 x86_64
  • Red Hat JBoss Core Services 1 for RHEL 7 ppc64

Fixes

  • BZ - 1243888 - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
  • BZ - 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
  • BZ - 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest

CVEs

References

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-httpd-2.4.23-122.jbcs.el7.src.rpm SHA-256: 50d3515c4c0d4353cd6863858cdf1f42f2fc8a0fdba774875b1af08e6e496b87
jbcs-httpd24-openssl-1.0.2h-14.jbcs.el7.src.rpm SHA-256: 8dab352d5fb849bf1e156e0f963100597a0d59865086178994c6cd757bacca27
x86_64
jbcs-httpd24-httpd-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: c3da9e8ab6d672591a0263677330ea7a7e9ba9369bb9d6b56a9b6d52a547cafb
jbcs-httpd24-httpd-debuginfo-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: 05b4464ac5ccef2b7bf7160156ae3521be463f33762d3838f569c4d33b1b3ec5
jbcs-httpd24-httpd-devel-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: 4d518ac231650cbda8acdd52d6160becbb095544f13102822a7d6ad25bfbee24
jbcs-httpd24-httpd-libs-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: 08a2cb2c08f20a8f1c84c0bfe33e70a273542f8f7d443dbd3001898738d7ce1b
jbcs-httpd24-httpd-manual-2.4.23-122.jbcs.el7.noarch.rpm SHA-256: 9543cd24e3a5d6c6c325545c46f946039d0de7c8c9e15792bf648f27d63d4f1b
jbcs-httpd24-httpd-selinux-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: 4e3bd9424c7408fa0ba9f49f3a35eac4e5163684bc2e92f40d6c575e3e6eb362
jbcs-httpd24-httpd-tools-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: 4c55881fb7d5c36f4d078bae0cda2c8f10354fef1a0a620b70fff6bfafde9161
jbcs-httpd24-mod_ldap-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: 21fe4094148223942fb35a6b1b50345e09b119e1aa62f1ed1655e1a633355e24
jbcs-httpd24-mod_proxy_html-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: a721063634230f3a098a7d4fcfa786c3ac4de8925b713c02f5c07dfeac092442
jbcs-httpd24-mod_session-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: c6b3ca1c45d06da061d5f86bd13bb7d7ae17026909ba8d6d74e8f0d7778e7706
jbcs-httpd24-mod_ssl-2.4.23-122.jbcs.el7.x86_64.rpm SHA-256: 362312a337a7d4c5da03228aafc00315cc791b792567e7fcd24860c43f94aded
jbcs-httpd24-openssl-1.0.2h-14.jbcs.el7.x86_64.rpm SHA-256: 3e2cbb7afac1763265e7aade677b55dde94b092cc293bdc138d4d63ede02100d
jbcs-httpd24-openssl-debuginfo-1.0.2h-14.jbcs.el7.x86_64.rpm SHA-256: 5cb86e8ce6aa226fcc74d8dd66d67098e438bb3950e40a67474b5ee2ef70dbe6
jbcs-httpd24-openssl-devel-1.0.2h-14.jbcs.el7.x86_64.rpm SHA-256: 0d122b9590a32813708f58b6c8ab72e11bd41a4de6aee478f2a23601fd5bf7c1
jbcs-httpd24-openssl-libs-1.0.2h-14.jbcs.el7.x86_64.rpm SHA-256: 7573dce77ec2d028ac054a56b4869f49f8ddb5b5b6bb1e02c7fc6bb52e85dc4a
jbcs-httpd24-openssl-perl-1.0.2h-14.jbcs.el7.x86_64.rpm SHA-256: 5cb831e54fc67bd00c2a57c04e22f698d848e07cf59e66e2a8a35e252f18e122
jbcs-httpd24-openssl-static-1.0.2h-14.jbcs.el7.x86_64.rpm SHA-256: 0a6c87fc6b670ea42f5f885de5ae9c7a3fc8f54d63209b248cf210f4650f079d
ppc64
jbcs-httpd24-httpd-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 926fe18ca3b52c81fe3cf4283132de24be350dc043adae9a3dd97088db7bd0ac
jbcs-httpd24-httpd-debuginfo-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 795c109a4cea6f1c7402c6cb2ed03dcc15fbdeaa64ff3a9a2440bb6f68bf8826
jbcs-httpd24-httpd-devel-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 306033c240fb7ef50370d0515d3c86cdd9edbb130e6720cd69c68e8277e157c7
jbcs-httpd24-httpd-libs-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 5e26ff3a38e816eb30d9ac47a6df31f4f7ce4f6edc8cbdd13c62a334d028a627
jbcs-httpd24-httpd-manual-2.4.23-122.jbcs.el7.noarch.rpm SHA-256: 9543cd24e3a5d6c6c325545c46f946039d0de7c8c9e15792bf648f27d63d4f1b
jbcs-httpd24-httpd-selinux-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: af3f65a41e99ff71590db06ef4def493caada951e7e5fce8b28744ccc2a72c04
jbcs-httpd24-httpd-tools-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 5324b3d866b6e00e787e732a3d778b61b102ea44cfdf5b27cfbec3a4c8e45302
jbcs-httpd24-mod_ldap-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 2e83119efbf37f62c9af1226cb38b546dc51e168c155aaaa19d791ad612695d1
jbcs-httpd24-mod_proxy_html-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 1ad4f1ed74cc0505e413376436c9d7088badb397f8cbd5ff3ae28d7d957a6f12
jbcs-httpd24-mod_session-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 8018e42714ac6a1605234f3afa3ba46ca260ab83f422003284aa99e3cbd9392a
jbcs-httpd24-mod_ssl-2.4.23-122.jbcs.el7.ppc64.rpm SHA-256: 32f44b67de4ce831bd7b07cbf3440ad0ccdea742296f1e0cf7fba788fd761d41
jbcs-httpd24-openssl-1.0.2h-14.jbcs.el7.ppc64.rpm SHA-256: f1082ce9744c910fe2667b8db6d4825a73942a329b66af85a19134ffd188a32d
jbcs-httpd24-openssl-debuginfo-1.0.2h-14.jbcs.el7.ppc64.rpm SHA-256: 0930b22598bee84df42407eb7beef6786a42aad0d427247d3bf85aedb5bdbbaa
jbcs-httpd24-openssl-devel-1.0.2h-14.jbcs.el7.ppc64.rpm SHA-256: 3f16a85ecba8b33459045bc74b90146e5c0904062f800d2845cac9cd3166da3a
jbcs-httpd24-openssl-libs-1.0.2h-14.jbcs.el7.ppc64.rpm SHA-256: e43738ec566ab1e5a90f0bec1bcfc0d9f6f92946267d739681cadd76c8a21319
jbcs-httpd24-openssl-perl-1.0.2h-14.jbcs.el7.ppc64.rpm SHA-256: c7f657217fb8a0e73dd7393039b43010d0d30f6b5f6b1bfca3cc6a570aab77ef
jbcs-httpd24-openssl-static-1.0.2h-14.jbcs.el7.ppc64.rpm SHA-256: 656cd752ea55f0a30a847be60df3250d7c9d51ab01543a48fc45ca845841e286

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.