Issued:
2019-11-20
Updated:
2019-11-20

RHSA-2019:3933 - Security Advisory

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Security Release on RHEL 7

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for JBoss Core Services on RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering.

This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.

Security Fix(es):

  • openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys (CVE-2018-0737)
  • openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)
  • mod_auth_digest: access control bypass due to race condition (CVE-2019-0217)
  • openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)
  • mod_session_cookie does not respect expiry time (CVE-2018-17199)
  • mod_http2: DoS via slow, unneeded request bodies (CVE-2018-17189)
  • mod_http2: possible crash on late upgrade (CVE-2019-0197)
  • mod_http2: read-after-free on a string compare (CVE-2019-0196)
  • nghttp2: HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511)
  • nghttp2: HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513)
  • mod_http2: HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516)
  • mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 7 x86_64

Fixes

  • BZ - 1568253 - CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
  • BZ - 1644364 - CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm
  • BZ - 1645695 - CVE-2018-5407 openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash)
  • BZ - 1668493 - CVE-2018-17199 httpd: mod_session_cookie does not respect expiry time
  • BZ - 1668497 - CVE-2018-17189 httpd: mod_http2: DoS via slow, unneeded request bodies
  • BZ - 1695020 - CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition
  • BZ - 1695030 - CVE-2019-0196 httpd: mod_http2: read-after-free on a string compare
  • BZ - 1695042 - CVE-2019-0197 httpd: mod_http2: possible crash on late upgrade
  • BZ - 1735741 - CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption
  • BZ - 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
  • BZ - 1741864 - CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service
  • BZ - 1741868 - CVE-2019-9517 HTTP/2: request for large response leads to denial of service

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-apr-1.6.3-63.jbcs.el7.src.rpm SHA-256: 8f679c740b0d114e356e055b95e781c4555e44cc26a921978f7b284df9664aec
jbcs-httpd24-apr-util-1.6.1-48.jbcs.el7.src.rpm SHA-256: 0c96d85d691b14fb459a244d63b7f0db379f4844bf763ca0a48e9631ecc55f74
jbcs-httpd24-brotli-1.0.6-7.jbcs.el7.src.rpm SHA-256: c7891d7f44ebc14defc4d8656aadb3450f073385e2c94a912f057a65c6e0098d
jbcs-httpd24-curl-7.64.1-14.jbcs.el7.src.rpm SHA-256: 3b8724555baf7d25dd51a8c3322c7e0cbbd8c3da36195bc2b6b3eeda6c2308c5
jbcs-httpd24-httpd-2.4.37-33.jbcs.el7.src.rpm SHA-256: 6ac5d4facfb77617043cb75979c5521762cbd92fcf809e0879d1669a9df9dfa4
jbcs-httpd24-jansson-2.11-20.jbcs.el7.src.rpm SHA-256: 8a4a28cb0ad9e4e8a431e90168d7a063733b5169648a804714de9f4eaa265b6a
jbcs-httpd24-mod_cluster-native-1.3.12-9.Final_redhat_2.jbcs.el7.src.rpm SHA-256: 8099932aca93d928bf0ce1480741eae3236fd2bba3172ad4046f767bc2703c0e
jbcs-httpd24-mod_jk-1.2.46-22.redhat_1.jbcs.el7.src.rpm SHA-256: 71b5beb4e2f09bb7473f641b31cc8cd43e38d0a99e2abc03ae6743f82ccda664
jbcs-httpd24-mod_security-2.9.2-16.GA.jbcs.el7.src.rpm SHA-256: d8a10afcacc0526e525e058764c90ef0269e13758224ae3b6f5a9901791906f3
jbcs-httpd24-nghttp2-1.39.2-4.jbcs.el7.src.rpm SHA-256: 3ef3cdbd6759cfda4f26578904896c754d5624ef25d3c14dd75544962fd1adbd
jbcs-httpd24-openssl-1.1.1-25.jbcs.el7.src.rpm SHA-256: 4ce82fcf50cfd4072804d2f4e93a0549f6cbe78c9181d638569cc9ed12322fe5
x86_64
jbcs-httpd24-apr-1.6.3-63.jbcs.el7.x86_64.rpm SHA-256: 433f07834cbc739b4d42ca217d3273eb3ef7d18d319db57197e9faf21c293ff0
jbcs-httpd24-apr-debuginfo-1.6.3-63.jbcs.el7.x86_64.rpm SHA-256: f00c90b3c2d25d8d605f814de1dcc96b97adb04353dc4615c37ebeaa71e2df07
jbcs-httpd24-apr-devel-1.6.3-63.jbcs.el7.x86_64.rpm SHA-256: 2cda15f7f9064d9c4e436c709b79daf3f72fd6c45ab9b992269540d38a62acfe
jbcs-httpd24-apr-util-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: 8aabe855eb7b5e4cac070ed618a4519aedd7fe7ad685b462ec3d9326e96f08de
jbcs-httpd24-apr-util-debuginfo-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: 4c566753f9d77f9b92c3a8b54c90af727204684e39cc4c2a9a33a8a2cc5a1150
jbcs-httpd24-apr-util-devel-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: 97f856f5c13c7db3b363d7af465fd4e7d3d2d3f75c0f0270b3b0501f5d4929fb
jbcs-httpd24-apr-util-ldap-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: e4ee709e94a8a5b10ece42878918a0f2cfdc54a8b70281c805d0f05f00b80b16
jbcs-httpd24-apr-util-mysql-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: 0abd5bf13c347af8d8be91a7741691e718b21af85477b5806940545d55f5a266
jbcs-httpd24-apr-util-nss-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: 8f5fa7a9b99bab4f2eb72fd03dc8f3c8909af556063daa26af1e0eac84138f7c
jbcs-httpd24-apr-util-odbc-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: 4439d49e497a8b18e73cee7ef2c6aab9365e7f715282c28289ee9351b457cb94
jbcs-httpd24-apr-util-openssl-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: c75b0930332bbdeed734f391cb36852345477ab0efd264ba1f42a0be9864da6f
jbcs-httpd24-apr-util-pgsql-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: eff9805a03b2ad3f9e478c3eaa904a40843f371b457f5e67efaa128cea44ac0f
jbcs-httpd24-apr-util-sqlite-1.6.1-48.jbcs.el7.x86_64.rpm SHA-256: dc423d05b5a73f21cb61f0d70d7e50d1f5f3ea0ff03b146810e82ac7294daeed
jbcs-httpd24-brotli-1.0.6-7.jbcs.el7.x86_64.rpm SHA-256: cd9a51d8155711c48e9a25f9c0be761aade854f022d5675036d8ad35d48721f9
jbcs-httpd24-brotli-debuginfo-1.0.6-7.jbcs.el7.x86_64.rpm SHA-256: f3f2bcdc36ea6f2a5142069f2b7534a2aa88f26e696f547258ec1516f2d5b51a
jbcs-httpd24-brotli-devel-1.0.6-7.jbcs.el7.x86_64.rpm SHA-256: 74cd195ab02a602bf1297a3d9959c8a82dbfeb0cf97414e08fd746cfebf0f8a6
jbcs-httpd24-curl-7.64.1-14.jbcs.el7.x86_64.rpm SHA-256: db0ae76b2cecdd303ce729d644cfc9fed542a2957a37db82fbba4440a54e6dc7
jbcs-httpd24-curl-debuginfo-7.64.1-14.jbcs.el7.x86_64.rpm SHA-256: 140312c710c540de6c48129814d7673baf99c7220e73edfdac6582e40a860a3e
jbcs-httpd24-httpd-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 44b15e199c10cb4f9380858c195655a9d2a867441bf3b64f7ffee26ad502c358
jbcs-httpd24-httpd-debuginfo-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 69d038e04e5d696414dd2c8ad29b4cc591830eedcaca2d8f22a628837b65e4b4
jbcs-httpd24-httpd-devel-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 4a87d2dee4b412a95237d16873c47eecd54231c546753d62bec80328d77deef0
jbcs-httpd24-httpd-manual-2.4.37-33.jbcs.el7.noarch.rpm SHA-256: cc7ef78e151293fc228bc1ccea06ceb48f9f5a4a69a1ccd29ddd5767a0a8d9d9
jbcs-httpd24-httpd-selinux-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 00ceaefacbb4b3a8b901375a85d555271dd6fac2dd9c1a657bf90093cf9a5a72
jbcs-httpd24-httpd-tools-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 098f412dfe47d7fb1bc603c511f7ffd788b5b987da03a6e6cc6f3ecd8f3d5a96
jbcs-httpd24-jansson-2.11-20.jbcs.el7.x86_64.rpm SHA-256: 540c91d63027d28d0b236adf304c0097cd4e29abb9fabafa0719165089fc5de1
jbcs-httpd24-jansson-debuginfo-2.11-20.jbcs.el7.x86_64.rpm SHA-256: af2bec444b9a93ee341a733c9eb75651ae6fe6743fa568e1ce9e3af891aa8440
jbcs-httpd24-jansson-devel-2.11-20.jbcs.el7.x86_64.rpm SHA-256: 0b0b974e3336d99841bcce82b6dcfecf8f085f3581d8d8029cafdac510bc7223
jbcs-httpd24-libcurl-7.64.1-14.jbcs.el7.x86_64.rpm SHA-256: f4b423301d0b4b89bf5e0317f29c37b502c6456b2f4f819b5cf1760544972aa0
jbcs-httpd24-libcurl-devel-7.64.1-14.jbcs.el7.x86_64.rpm SHA-256: 87fc8f9e91184d71a276b870b9d85abbfa8aa3a9576ce50748226b3104d85889
jbcs-httpd24-mod_cluster-native-1.3.12-9.Final_redhat_2.jbcs.el7.x86_64.rpm SHA-256: 323be2e5641beaa9141e9de9e95e55c5891281a990d67fa0b075b7b491e23423
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.12-9.Final_redhat_2.jbcs.el7.x86_64.rpm SHA-256: d4f0021b0b157d39c2654545069d8c6f8e7320b1af7f52dd7600e74621c4717f
jbcs-httpd24-mod_jk-ap24-1.2.46-22.redhat_1.jbcs.el7.x86_64.rpm SHA-256: 2ba781fbead551ab90e58cd04db76eee6b6c33b4df6b9bc75df72f818d0187aa
jbcs-httpd24-mod_jk-debuginfo-1.2.46-22.redhat_1.jbcs.el7.x86_64.rpm SHA-256: 01c2aacaf946415cee4bb8c575a51ec4f2776dac3462ac8f42f9d8fc43947e57
jbcs-httpd24-mod_jk-manual-1.2.46-22.redhat_1.jbcs.el7.x86_64.rpm SHA-256: 11ba1a0475eb158d3fa54a2ffa5ecb27db1d661753312bc543f546b20cb317fd
jbcs-httpd24-mod_ldap-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 9271593459f1b446565bbc7ca83e74a3c5f68ab800f873fbff1156855119b47b
jbcs-httpd24-mod_md-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 538041838df857bf0dae28b8436c5ece71704d120158dded5c400c9e5e48c834
jbcs-httpd24-mod_proxy_html-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 946509f7fb6d83bfba17f322b3ab5d8573bacf3b3a376b6b65fbb9903223eb5f
jbcs-httpd24-mod_security-2.9.2-16.GA.jbcs.el7.x86_64.rpm SHA-256: f2944f0839d4b09f41173bbac3f482c2605d31cb20dcf37d69f29558411bf8bf
jbcs-httpd24-mod_security-debuginfo-2.9.2-16.GA.jbcs.el7.x86_64.rpm SHA-256: 064f1781cb149f774d4f49508e00021ec9ccbfb5849d23c174818593ebba31ea
jbcs-httpd24-mod_session-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: 81024bb3d1e8cb998777a63c5012a51bd6ef6ca7159a045426245b01ded38dc1
jbcs-httpd24-mod_ssl-2.4.37-33.jbcs.el7.x86_64.rpm SHA-256: e192d6ac4945e9337ffbee7073783ef4397cb734f9718f62d6fced42b838c762
jbcs-httpd24-nghttp2-1.39.2-4.jbcs.el7.x86_64.rpm SHA-256: dd2a10c9656650fc73e3b3501f0009d012ef06fd235d9f3cd5b813982e23c88b
jbcs-httpd24-nghttp2-debuginfo-1.39.2-4.jbcs.el7.x86_64.rpm SHA-256: fdfb886741ec5e59bfecda1113da5e57b2cada5c5337c5f8d5d2e5b11c82b39c
jbcs-httpd24-nghttp2-devel-1.39.2-4.jbcs.el7.x86_64.rpm SHA-256: 3c3c6bec0403369df62243cccc8607edc845b6f8f51c275ced66823928b8412d
jbcs-httpd24-openssl-1.1.1-25.jbcs.el7.x86_64.rpm SHA-256: a1c0fb2e74ed467bc57f5653c6d486ae58db631bb9e60c6c18308fe173c3ae30
jbcs-httpd24-openssl-debuginfo-1.1.1-25.jbcs.el7.x86_64.rpm SHA-256: e250dbfcec17e7c2db7a07a1106d46c222a8dbb5b114c0a8c00fbd75122d7b5d
jbcs-httpd24-openssl-devel-1.1.1-25.jbcs.el7.x86_64.rpm SHA-256: 837d86bcccb892c515b6b82509720a0443a8d4e667e8ee21d185a8029d33daae
jbcs-httpd24-openssl-libs-1.1.1-25.jbcs.el7.x86_64.rpm SHA-256: 78aa8f48e1e5250b08e9d69ca388f602bc06fd3b1b9183038c93bb40f282c766
jbcs-httpd24-openssl-perl-1.1.1-25.jbcs.el7.x86_64.rpm SHA-256: ed9e0244182b96253e13676697edf7c6649f0479b1e66218c100a46c936d5eec
jbcs-httpd24-openssl-static-1.1.1-25.jbcs.el7.x86_64.rpm SHA-256: 52223e75038eb17b6e5cd3a59fcf3885d4ccc28efd7f56b8ffb41f6da5802a6b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.