Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2018:2469 - Security Advisory
Issued:
2018-08-16
Updated:
2018-08-16

RHSA-2018:2469 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Web Server 3.1.0 Service Pack 4 security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7.

Red Hat Product Security has rated this release as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)
  • tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019)
  • tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates (CVE-2018-8020)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The following packages have been upgraded to a newer upstream version:

  • OpenSSL (1.0.2n)
  • APR (1.6.3)

CVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland (Red Hat).

Solution

Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Web Server 3 for RHEL 7 x86_64
  • JBoss Enterprise Web Server 3 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 3 for RHEL 6 i386

Fixes

  • BZ - 1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
  • BZ - 1581569 - CVE-2018-8020 tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates
  • BZ - 1583998 - CVE-2018-8019 tomcat-native: Mishandled OCSP invalid response

CVEs

  • CVE-2018-8014
  • CVE-2018-8019
  • CVE-2018-8020

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/html-single/red_hat_jboss_web_server_3.1_service_pack_4_release_notes/
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 3 for RHEL 7

SRPM
tomcat-native-1.2.17-17.redhat_17.ep7.el7.src.rpm SHA-256: cd449d12caeb208dced5f44606dac44859cc8c09cf46beb3103d32c0e98d1af7
tomcat7-7.0.70-27.ep7.el7.src.rpm SHA-256: b9701148564d1d6518e50c2733384be44f7e30d21152e9418d39a6c92b6c1cb9
tomcat8-8.0.36-31.ep7.el7.src.rpm SHA-256: ae5f2a9d8edf6616ee122a4aaffca8b7b0b6947aeaebbb6ed37b882b824c4166
x86_64
tomcat-native-1.2.17-17.redhat_17.ep7.el7.x86_64.rpm SHA-256: 8df0815624afa6c4fa648147f3c437097d076e0520e9a4da382503c1995b508f
tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el7.x86_64.rpm SHA-256: df72560c965be26e3a059b1847cd3f6811ad66d07967c63c9d0b8e4b4fdb7e23
tomcat7-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 54ee579a975292f1af88f1ef789515ca3845314d03ef4c56d3980c96e289f573
tomcat7-admin-webapps-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 5c5b395cbc92fbf06d9ae8825d990ce27c73723b7c21ec95f75fe291ca3c3006
tomcat7-docs-webapp-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 598ef4e86015a2ae3caa00edf5e5dea4f5ecea4867eaf5ffb4a16be6abbe9266
tomcat7-el-2.2-api-7.0.70-27.ep7.el7.noarch.rpm SHA-256: e4f006230d7ed50c41e211e65159c68b837082592cf8709fb07cb900158814ce
tomcat7-javadoc-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 69d0c70f22618c08f7d3077eef3ef51935a9e26b1419259706a6fd5e014fd1ff
tomcat7-jsp-2.2-api-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 8bfbada736881264a99a4c4f405e7be1318c9adafc374fa0a880428c20ef3cf0
tomcat7-jsvc-7.0.70-27.ep7.el7.noarch.rpm SHA-256: e953e743fb43b0e8aea8b50fe6064746f3faf89b129549b595cdad33d2eb9c47
tomcat7-lib-7.0.70-27.ep7.el7.noarch.rpm SHA-256: bf986a1cfe3658222eb49cfbb6634eec0f1a9881224baf95f5b5194dc7efce81
tomcat7-log4j-7.0.70-27.ep7.el7.noarch.rpm SHA-256: e860d7014ffc94fc7810ca29c2bef670c473a2b788697a5b5eda52dbee2a13a8
tomcat7-selinux-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 7d4f64443791493521ae8647efab33d79d68040d6e4f4b175f24181d044a2b94
tomcat7-servlet-3.0-api-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 151ed45be00d81a6dd0513f4ac54d22cc96e88c400594c28463c3889a6df94a4
tomcat7-webapps-7.0.70-27.ep7.el7.noarch.rpm SHA-256: 1bf8b1455f43f488131a3e4cfc65e35748fe946adf097d5c28d72f16c3de3bda
tomcat8-8.0.36-31.ep7.el7.noarch.rpm SHA-256: 6851bbbfafd8b32315ece4dfc9b3c3dbb1ca22116379800fe7ea824c9d6fb1b5
tomcat8-admin-webapps-8.0.36-31.ep7.el7.noarch.rpm SHA-256: 3d6e6fe485ae32c6e242b9bb100f92f091ef264dada392e12d66466547b9e93f
tomcat8-docs-webapp-8.0.36-31.ep7.el7.noarch.rpm SHA-256: f03851e8b44de0f5d62b240865e3b321f2e41321db96044e914a5bc8cfbf2fb2
tomcat8-el-2.2-api-8.0.36-31.ep7.el7.noarch.rpm SHA-256: a483ce0dc3131499ffe4fc7fe7fd148b5b261151897ef08f646f9527d1b132ec
tomcat8-javadoc-8.0.36-31.ep7.el7.noarch.rpm SHA-256: f5ea635e55d5b7094c75f36d1cd387010a95bd0c0b11bdecab99952adc61f0a5
tomcat8-jsp-2.3-api-8.0.36-31.ep7.el7.noarch.rpm SHA-256: 8bfecbf76f2e3b89d52972a9c64b7fec7af3f6f572175a342da07bb458d69d57
tomcat8-jsvc-8.0.36-31.ep7.el7.noarch.rpm SHA-256: e44890245801daa81f8685510c6096916edc41b8a2176fc9d4da0a34305217eb
tomcat8-lib-8.0.36-31.ep7.el7.noarch.rpm SHA-256: cfe7e2aebfa8bb0fafa881c143baa2350fb75893eac950d3a781cd4c242c6646
tomcat8-log4j-8.0.36-31.ep7.el7.noarch.rpm SHA-256: 9da5db648d2960ba1e03d49eca6c24ad1d1b82f886869d4193f942c8829fe2c5
tomcat8-selinux-8.0.36-31.ep7.el7.noarch.rpm SHA-256: cec559417e57daab7722665c16be2e0c9687fdb355c8d1444a84da38c37c13d9
tomcat8-servlet-3.1-api-8.0.36-31.ep7.el7.noarch.rpm SHA-256: 806bc834ba26e86e9f8066250618c812aebca2e2d559f323d087d806c1eea609
tomcat8-webapps-8.0.36-31.ep7.el7.noarch.rpm SHA-256: dd220674b679a611bb14f523e9f3b7213bab41fab8633092d4d3e3ea22433b45

JBoss Enterprise Web Server 3 for RHEL 6

SRPM
tomcat-native-1.2.17-17.redhat_17.ep7.el6.src.rpm SHA-256: f1da81cc32f1180feae1ef0de10e8a794c377a87138fb477d23e892c51e7f653
tomcat7-7.0.70-27.ep7.el6.src.rpm SHA-256: 5f1bec08d1456212e0875ca27b8874409734fb2c384d14a90cc5f0b04ec66d14
tomcat8-8.0.36-31.ep7.el6.src.rpm SHA-256: 13a599e3b5a3d070278082f6716d2fe313997a0c31ea1eedc23d9b7a1264aaa9
x86_64
tomcat-native-1.2.17-17.redhat_17.ep7.el6.x86_64.rpm SHA-256: 665ff330f343065bcdce83555ecf28bd2176e5c1efd57e8c16e8d76ee86fe7b7
tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el6.x86_64.rpm SHA-256: 793e2291b41ad63b39923b200fd92182cde0d164fef921f725cbfd32c69d865f
tomcat7-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 9ba639cdf2812e76e89698bfd3b9762fe628f1c74248f42c228690472e541d7a
tomcat7-admin-webapps-7.0.70-27.ep7.el6.noarch.rpm SHA-256: cc93c0cd03c6c0006ac84888ca53ca642097321e73346b0a605b67f8a7e07230
tomcat7-docs-webapp-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 2da2eb07d294d56cd692a0b68f80ff227b681a8e95dabfa4a52f24936d081bd4
tomcat7-el-2.2-api-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 19bec67cc383585488a1d2c48b76c510a9360042f3460df3bb4e96d4190d6a7b
tomcat7-javadoc-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 2c616ef8af47d777fd7bad43fd77cb4f22ad9ec26660f0dc5f1af759ca3d684e
tomcat7-jsp-2.2-api-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 9a98ce3100e45df8996badf83ff61a41f7ddf1b3a3fc6f4393cb8f716ae5f83a
tomcat7-jsvc-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 25f9c34cc8b6d8e40a5f5940af614f04c921a013da463198021e752677147b2c
tomcat7-lib-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 72774c202373c6187e619bc355b9334b59a5f686366959eb9ec56d4e424b2c39
tomcat7-log4j-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 503581b51e1abca6393b6eaefc523d7dea7198e2d55631ecaf3a5ce889e0cced
tomcat7-selinux-7.0.70-27.ep7.el6.noarch.rpm SHA-256: ff758d8551de8b395e219f50e988a0d9932393aaf74f87df048eac0c3fad4ee5
tomcat7-servlet-3.0-api-7.0.70-27.ep7.el6.noarch.rpm SHA-256: cff106a96853f97e1d4552b28bf8ff0209556531b76ebbbd84a2fc8db446a193
tomcat7-webapps-7.0.70-27.ep7.el6.noarch.rpm SHA-256: f0506c90d554429c319917462b16468cbfcb79a36f2c692196fe37478afbe154
tomcat8-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 39c405d8565d9a7f5ba62d4a5df17153aa9759ccaee3c940444fdf844a121ac8
tomcat8-admin-webapps-8.0.36-31.ep7.el6.noarch.rpm SHA-256: fe4a52d06f1b640d3b73ed9fe8aba3c333cd36269e80e57a84b857dd5500248f
tomcat8-docs-webapp-8.0.36-31.ep7.el6.noarch.rpm SHA-256: c504d4e5c9b0e89cfd56a73e3ab7af59958e5eda4ec21a28317e8702e4f77c70
tomcat8-el-2.2-api-8.0.36-31.ep7.el6.noarch.rpm SHA-256: cac66f2eb4feae285b8a1293662858b697e530283bdc0b50026bf2d6f11319d5
tomcat8-javadoc-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 45f7e1922941c9050b5fb183afeead6446b317fb13a165e05ce4003390d6fea7
tomcat8-jsp-2.3-api-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 8d4f550365211d55198c07bb5b8dbc3f2e0844e6a2f823a82caaeb2f9ecba4c4
tomcat8-jsvc-8.0.36-31.ep7.el6.noarch.rpm SHA-256: cc708ea3adfaad30f713c091deef5479ec4924a76687566d52f3288b808b76ba
tomcat8-lib-8.0.36-31.ep7.el6.noarch.rpm SHA-256: bf92d73b4c4397d81d728ff3402014641bce7013370234782ae891e6acabee27
tomcat8-log4j-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 4186ab4ae8ed58b9d3570baf8a4da14e9a7a3fe1f174315ed45e36c063f9f120
tomcat8-selinux-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 3a0ec09697e94be70f88519a792b8765a77486471aa2d3fbf50b1c7e4cdb4860
tomcat8-servlet-3.1-api-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 86754004dcae3f332decd03829ffa14153ebd442474524aa3f16bc4a8b7057de
tomcat8-webapps-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 6af031092bbde3b35787d6fab145a365acd8fddef25bbb7840de2f3c27b995fb
i386
tomcat-native-1.2.17-17.redhat_17.ep7.el6.i686.rpm SHA-256: 9ef55be54a06ac5beccea26227d6e218e41e2f567512ffe32d7a362f9ea32dd5
tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el6.i686.rpm SHA-256: 0465ca22e9db074abd8638a70cdb77fd16b0e5879aad6315b4ea0c83b5ffac53
tomcat7-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 9ba639cdf2812e76e89698bfd3b9762fe628f1c74248f42c228690472e541d7a
tomcat7-admin-webapps-7.0.70-27.ep7.el6.noarch.rpm SHA-256: cc93c0cd03c6c0006ac84888ca53ca642097321e73346b0a605b67f8a7e07230
tomcat7-docs-webapp-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 2da2eb07d294d56cd692a0b68f80ff227b681a8e95dabfa4a52f24936d081bd4
tomcat7-el-2.2-api-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 19bec67cc383585488a1d2c48b76c510a9360042f3460df3bb4e96d4190d6a7b
tomcat7-javadoc-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 2c616ef8af47d777fd7bad43fd77cb4f22ad9ec26660f0dc5f1af759ca3d684e
tomcat7-jsp-2.2-api-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 9a98ce3100e45df8996badf83ff61a41f7ddf1b3a3fc6f4393cb8f716ae5f83a
tomcat7-jsvc-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 25f9c34cc8b6d8e40a5f5940af614f04c921a013da463198021e752677147b2c
tomcat7-lib-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 72774c202373c6187e619bc355b9334b59a5f686366959eb9ec56d4e424b2c39
tomcat7-log4j-7.0.70-27.ep7.el6.noarch.rpm SHA-256: 503581b51e1abca6393b6eaefc523d7dea7198e2d55631ecaf3a5ce889e0cced
tomcat7-selinux-7.0.70-27.ep7.el6.noarch.rpm SHA-256: ff758d8551de8b395e219f50e988a0d9932393aaf74f87df048eac0c3fad4ee5
tomcat7-servlet-3.0-api-7.0.70-27.ep7.el6.noarch.rpm SHA-256: cff106a96853f97e1d4552b28bf8ff0209556531b76ebbbd84a2fc8db446a193
tomcat7-webapps-7.0.70-27.ep7.el6.noarch.rpm SHA-256: f0506c90d554429c319917462b16468cbfcb79a36f2c692196fe37478afbe154
tomcat8-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 39c405d8565d9a7f5ba62d4a5df17153aa9759ccaee3c940444fdf844a121ac8
tomcat8-admin-webapps-8.0.36-31.ep7.el6.noarch.rpm SHA-256: fe4a52d06f1b640d3b73ed9fe8aba3c333cd36269e80e57a84b857dd5500248f
tomcat8-docs-webapp-8.0.36-31.ep7.el6.noarch.rpm SHA-256: c504d4e5c9b0e89cfd56a73e3ab7af59958e5eda4ec21a28317e8702e4f77c70
tomcat8-el-2.2-api-8.0.36-31.ep7.el6.noarch.rpm SHA-256: cac66f2eb4feae285b8a1293662858b697e530283bdc0b50026bf2d6f11319d5
tomcat8-javadoc-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 45f7e1922941c9050b5fb183afeead6446b317fb13a165e05ce4003390d6fea7
tomcat8-jsp-2.3-api-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 8d4f550365211d55198c07bb5b8dbc3f2e0844e6a2f823a82caaeb2f9ecba4c4
tomcat8-jsvc-8.0.36-31.ep7.el6.noarch.rpm SHA-256: cc708ea3adfaad30f713c091deef5479ec4924a76687566d52f3288b808b76ba
tomcat8-lib-8.0.36-31.ep7.el6.noarch.rpm SHA-256: bf92d73b4c4397d81d728ff3402014641bce7013370234782ae891e6acabee27
tomcat8-log4j-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 4186ab4ae8ed58b9d3570baf8a4da14e9a7a3fe1f174315ed45e36c063f9f120
tomcat8-selinux-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 3a0ec09697e94be70f88519a792b8765a77486471aa2d3fbf50b1c7e4cdb4860
tomcat8-servlet-3.1-api-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 86754004dcae3f332decd03829ffa14153ebd442474524aa3f16bc4a8b7057de
tomcat8-webapps-8.0.36-31.ep7.el6.noarch.rpm SHA-256: 6af031092bbde3b35787d6fab145a365acd8fddef25bbb7840de2f3c27b995fb

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter