Red Hat Product Errata RHSA-2023:4909 - Security Advisory
Issued:
2023-09-04
Updated:
2023-09-04

RHSA-2023:4909 - Security Advisory

Synopsis

Moderate: Red Hat JBoss Web Server 5.7.4 release and security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Web Server 5.7.4 on Red Hat Enterprise Linux versions 7, 8, and 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 5.7.4 serves as a replacement for Red Hat JBoss Web Server 5.7.3. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section.

Security Fix(es):

  • apr: integer overflow/wraparound in apr_encode (CVE-2022-24963)
  • Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
  • tomcat: not including the secure attribute causes information disclosure (CVE-2023-28708)
  • tomcat: Fix for CVE-2023-24998 was incomplete (CVE-2023-28709)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Web Server 5 for RHEL 9 x86_64
  • JBoss Enterprise Web Server 5 for RHEL 8 x86_64
  • JBoss Enterprise Web Server 5 for RHEL 7 x86_64

Fixes

  • BZ - 2169465 - CVE-2022-24963 apr: integer overflow/wraparound in apr_encode
  • BZ - 2172298 - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
  • BZ - 2180856 - CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
  • BZ - 2210321 - CVE-2023-28709 tomcat: Fix for CVE-2023-24998 was incomplete

JBoss Enterprise Web Server 5 for RHEL 9

SRPM
jws5-tomcat-9.0.62-15.redhat_00013.1.el9jws.src.rpm SHA-256: b1e247a4c75310906ef9862cf07c3e9f2d2b7cd75fd4023d7106ac7d943081d5
jws5-tomcat-native-1.2.31-15.redhat_15.el9jws.src.rpm SHA-256: 91e076b62032d721ca7e8e7bea25f670fcc68ed6a7c3b3d225dfcf4eabfecca9
x86_64
jws5-tomcat-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: a24644564a3729d62a1bff1d48bc6fc30e95c2a1d411a84bc462d4ba644cc47b
jws5-tomcat-admin-webapps-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: ad8a4acac2c017e64b90a288f49604f03b3529caaf8fcfae03b80c9fb3f0fef4
jws5-tomcat-docs-webapp-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: f4923309618688cca3aa514dbfdfb037e4bf75ed197a8d9629f826c5613fc2df
jws5-tomcat-el-3.0-api-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: 44f8d873aa5eb06dcffa555cfe5de92f161ed84e116c780469c1798a3de5def4
jws5-tomcat-javadoc-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: eaf1043726837b0ede513ad1ccb7c27e15890abaa27557e1002dfbc754d419e3
jws5-tomcat-jsp-2.3-api-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: 2488bfbff4aeb4c68559f3e52ada9fd27d0cbcddbd7c802b4b89c30e2a4c25cc
jws5-tomcat-lib-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: 3b94cedaa1916952231e81d8e75613bf112f59a2c5ff1ad61ffd9ac63d0176f4
jws5-tomcat-native-1.2.31-15.redhat_15.el9jws.x86_64.rpm SHA-256: bb1dc05591e158e2f0226b6a90a522d1912ea951b11d2c8f972096f37dba1a29
jws5-tomcat-native-debuginfo-1.2.31-15.redhat_15.el9jws.x86_64.rpm SHA-256: f593a61a6daa13f38419ddc6ea36fbf6b1f07fe2d86690ea927f70e66d37c2cf
jws5-tomcat-selinux-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: ff2bb1c9cc6e433d115f89085b524540b94716889ebdc0f4bc7998dce8b9ad5d
jws5-tomcat-servlet-4.0-api-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: 945b5c0b91b14bdf0c684aeb2af75deedfd77bd29d145748afb8aff3fe68be12
jws5-tomcat-webapps-9.0.62-15.redhat_00013.1.el9jws.noarch.rpm SHA-256: accd14e5acb065ae41329b8e9d61bf50e8e5718faaf611cdd5a8e19842cddd80

JBoss Enterprise Web Server 5 for RHEL 8

SRPM
jws5-tomcat-9.0.62-15.redhat_00013.1.el8jws.src.rpm SHA-256: 492627402374a664edaad5fa2bce8f0ab21bfa5d964deaeb2f33ec9e7c70c26a
jws5-tomcat-native-1.2.31-15.redhat_15.el8jws.src.rpm SHA-256: a0f958762445f4ab86d7b5d5b5b155160101ea12eb44706f225c4bba3aa374a3
x86_64
jws5-tomcat-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: 477ba130545a0ba521b993a8f15fa753d45a48fa1e7226382110ba33150f50ac
jws5-tomcat-admin-webapps-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: 648b1edd9e20bfabc94080ba460dbd0d4a0d7c7ebd72e1c15043168282343728
jws5-tomcat-docs-webapp-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: b752608a86f892a67c98af214d31df6db22cacddcf8d9e78819f8fefdd91ad1e
jws5-tomcat-el-3.0-api-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: f831bc2c4e50962def2731ea64ed1c086dccf34374e74815fb901e4729cc5afe
jws5-tomcat-javadoc-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: 52aa541f668b83687d381abe62ba48312b505bbf3db160fc8abfe8a1245518d8
jws5-tomcat-jsp-2.3-api-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: 2cabfc26f5ad7fddf872726236d098d9ab1d473b980dff066c4dcc3b632a9aca
jws5-tomcat-lib-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: 0224c2b80cd13bc9404b7e615c2fd1f5b2c654ea60c0c83a33f70583d00244a2
jws5-tomcat-native-1.2.31-15.redhat_15.el8jws.x86_64.rpm SHA-256: d0b566cfd07e55c5e2ed9aab9f500e36b7ce2657e9a58b875651727588800da6
jws5-tomcat-native-debuginfo-1.2.31-15.redhat_15.el8jws.x86_64.rpm SHA-256: 4dcdd26f12cc12ffebcf12ee928325aa45ad906766a7b14d4961d0a754cc5b83
jws5-tomcat-selinux-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: 87402c2b27550e11e47db9a149e6671e5073e5c95a922946c9d1c832c904227e
jws5-tomcat-servlet-4.0-api-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: 8ac3de79d8e0b3ec52f1cac9bcfc3e1eeeae26f81b989aeec4effc0270d76bd6
jws5-tomcat-webapps-9.0.62-15.redhat_00013.1.el8jws.noarch.rpm SHA-256: ab21de423de767ebe8864dd219ff721d8a433928965a9be314d5197ed0850945

JBoss Enterprise Web Server 5 for RHEL 7

SRPM
jws5-tomcat-9.0.62-15.redhat_00013.1.el7jws.src.rpm SHA-256: 144ef0254a1da1eb8e33c3374fc2fda17df86749c1651876c472b7c0f3a7475f
jws5-tomcat-native-1.2.31-15.redhat_15.el7jws.src.rpm SHA-256: 8e8da0c75cde5e87b050d7520ce8b0487ef21bc8e42c8e6e09fc52fd47a4d2ba
x86_64
jws5-tomcat-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: a0f26d43829a2ab9ce09cb970cdf3515673ddb702f3b0e9f42db4d80f066d591
jws5-tomcat-admin-webapps-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: 0b13853e59208a36459952238e52eddf5b38ab2a74e0217997e41e2a92656a4d
jws5-tomcat-docs-webapp-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: e000439ae79004a8d5320a97b6c12a14c1a3b2a7cf2fb11c60c5d72167fb6f09
jws5-tomcat-el-3.0-api-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: 9ac9e294620e8b44220c6cb659b17fb27e10d04e51a04e911ed1f56957ad7672
jws5-tomcat-java-jdk11-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: 2a6c1c07426ba5ac726834b4e8e54d957c38ab6d75c847dc548fb6b2d3e1f303
jws5-tomcat-java-jdk8-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: eb28a8f0e4ee5bd67d242c1e1fdbd3160b48153b36b9b3cc8cfcf645f4a3daab
jws5-tomcat-javadoc-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: fb45a6846398b1dffde514f20ef4e9b111e82d007eb2a9f77f262d7666512bb5
jws5-tomcat-jsp-2.3-api-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: eb353818cf3416be9ccf941a7e24fc970b29b5df022a6d74dc23575dbd048377
jws5-tomcat-lib-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: 822f4b42bd258a22e4f50cb504f3388ec9c9dc1b11bb982295c91b6e8803c68f
jws5-tomcat-native-1.2.31-15.redhat_15.el7jws.x86_64.rpm SHA-256: c2c195d8f6377f9782e09eaeab22eea28d59b2cf6c4f6ad5c88376dcc3d6a087
jws5-tomcat-native-debuginfo-1.2.31-15.redhat_15.el7jws.x86_64.rpm SHA-256: b0917e7d482e7059015e525f344d97e2ef6f7cb28848a5eafada32bcc86d399a
jws5-tomcat-selinux-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: ac32c7c10fbd71b937363556006b70212b32a50363f5991785c3d8f5cc1c52d7
jws5-tomcat-servlet-4.0-api-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: 5e79b882f40eb4d5955b1d6da2b93e28ab301787b1e02189a6712b733bdf7558
jws5-tomcat-webapps-9.0.62-15.redhat_00013.1.el7jws.noarch.rpm SHA-256: 39d820ac831da9658d7badc2a6fdaebb1f65b70adb8b87474428f553213471d9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.