Red Hat 제품 에라타 RHSA-2021:4861 - Security Advisory
발행된 날짜:
2021-11-30
업데이트된 날짜:
2021-11-30

RHSA-2021:4861 - Security Advisory

요약

Important: Red Hat JBoss Web Server 5.6.0 Security release

유형/심각도

Security Advisory: Important

Red Hat Lightspeed patch analysis

이 권고의 영향을 받는 시스템을 식별하고 수정합니다.

영향을 받는 시스템 보기

주제

Updated Red Hat JBoss Web Server 5.6.0 packages are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

설명

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for Red Hat JBoss Web Server 5.5.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.

Security Fix(es):

  • tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340)
  • tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037)
  • tomcat: JNDI realm authentication weakness (CVE-2021-30640)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

솔루션

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

영향을 받는 제품

  • JBoss Enterprise Web Server 5 for RHEL 8 x86_64
  • JBoss Enterprise Web Server 5 for RHEL 7 x86_64

수정

  • BZ - 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy
  • BZ - 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness
  • BZ - 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS

JBoss Enterprise Web Server 5 for RHEL 8

SRPM
jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.src.rpm SHA-256: 3b234b8c81a51a9842af6577a3882f86d3af9277825f7ce3b482ad434c75b2e0
jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.src.rpm SHA-256: e0db4ed0c8c3fad373ab19b4463c9760f95b3c1c76d874a6adba04e04f5e74a7
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.src.rpm SHA-256: e8883960782c9ef24dd6262b8a41cfbe9377bb39a405a861135151bbdd6fb7a9
x86_64
jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: cf26a446cbcd57bd19c8c548c6d1e9841ea3e2171fa2f77fee390eae7e48820d
jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: 6bac6face73725647c5fd60ebd9bfcaf298a7fae35c594dc4e5a75a9109661c9
jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: 46f7bc04d695077fb6bb36adeaa5dd8db5df0ad1b8b776d28331556cc8dd6049
jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: 89018ec4fda4e300b21c88ca5c8d03be7f3a6ee1e1d6b41e7c0228a164853822
jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: d9eeb4a086f4969210c12183a08d9f08228dddcf95b8bcf2ed69efccb6f7f262
jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: 7002e9c031e71f332f991a8c565d1392272376069a1a9a5ae0607ec1a83ce7a4
jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: 1a56c2742523d887c614daa43d30c1190eda50b8a49c88c34663d2ec4b322ed6
jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.x86_64.rpm SHA-256: 5e3677f30b36ffae3f643a502e7a1e9e71183d0668954730c0043ff0c7c301ae
jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el8jws.x86_64.rpm SHA-256: 942264f7c135572535f995f52a72f25a3c8ff6790873651d6b3ca70a19779bdf
jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: 9f5673bb6c4cf058c7c6d2d21c6f8b25c7e3657d8bd4d82eb21dc0eed5efd9de
jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: f80745d3e9e50d5731605cb96fd1834b99817ce71758fa4e889555609417ce9c
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm SHA-256: bb280b9836512d11fa3dff4e0cdbc4c8ea5aeb18a8fd62ec0ea5f31ecc72b2e5
jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm SHA-256: 9c477e0c80284cc3fd90be879a05ed98fa4aa2deb51944e450e28feb53e9622c
jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm SHA-256: a108ab1ef234e25d28903d070518a48a5eb472ea62e5eacfbe7c14cdb85d263c

JBoss Enterprise Web Server 5 for RHEL 7

SRPM
jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.src.rpm SHA-256: eb70d84bca10085ee64680364836d02e4960687d8dbf00f8e45984a7f31cb2bc
jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.src.rpm SHA-256: df75a8d0e226787d167027c348ab37a055439e37bca96f82575f11681ff6facb
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.src.rpm SHA-256: 062553dfc3ab37ffa2f6a6c9a7b179c958a83d66818a5a5dec7c692b4281ece6
x86_64
jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: 9ea95d40528c7797ad6926d254392e17752210c7fc04f9546578a690ff1b67d5
jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: 3ddeddcb61066737c94294c05a1f94f126f92f9eba193f03432da6118ee5088b
jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: a156124e43b53049f77740139c4e3df6941f957563986dc734d57e994f3e8afd
jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: 7e37477417571f8a1a68bb821f28626cec22476b433d5ac929933735ce823ac6
jws5-tomcat-java-jdk11-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: 8fb5384a18656d8a0ddb7d83e63e87959df0073d39c6c97551cb00ab33f1ddef
jws5-tomcat-java-jdk8-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: ffd61462e0e553df86a1bb2c4c05eb687d32cdf7cdef6b26452170bdd73777ad
jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: 8df159173b177969ee01e288a687e4dc05d33d86fc494dcb5ff453135a8ed840
jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: bceef8a8504371910a01ba38e4d2899a86d414042eeb7de9b4e99081fc970894
jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: a3145a0480ee83ad72aaafb1c16552aaf15ca5272384d9d582362382878b3105
jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.x86_64.rpm SHA-256: 10c1eab9f30515f2444430232d29633efa9f20be6b3d04117a673df56ac4c0b0
jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el7jws.x86_64.rpm SHA-256: 94aa81170dd3c446e6d2857a85ec5b291754482ca20e6d6132a6020d78d57114
jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: ff599f85b42db992a7ed226adc89bdad4e2e8c6f3e7b5dfe740283fc64c3c7d6
jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: 1626e6885e65b4b6572fcade437ed46836febecff7d8fddd79f8d51dd1943c0d
jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm SHA-256: a556d020a89b8a202bd009b4cbc25d09c6ba772e922b0613e0d577f11bd7f686
jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm SHA-256: 0d72b62b75e11f631797d2082db468cd26db7336c2ae7e0882b6fe15e49da49b
jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm SHA-256: 26040a34f6979491fa53c6f6d366fce6fd8dc5d369f71ca0a89e8f7bac59a5da

Red Hat 제품 보안팀 연락처는 secalert@redhat.com입니다. https://access.redhat.com/security/team/contact/에 더 많은 연락처 정보가 있습니다.