RHSA-2020:2067: Important: Red Hat build of Thorntail 2.5.1 security and bug fix update

First published: Mon May 18 2020(Updated: )

This release of Red Hat build of Thorntail 2.5.1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.<br>Security Fix(es):<br><li> apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)</li> <li> cxf: does not restrict the number of message attachments (CVE-2019-12406)</li> <li> cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419)</li> <li> hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)</li> <li> HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)</li> <li> HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)</li> <li> HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)</li> <li> HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)</li> <li> jackson-databind: Multiple serialization gadgets (CVE-2019-17531, CVE-2019-16943, CVE-2019-16942, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14893, CVE-2019-14892, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-10969, CVE-2020-10968, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2019-20330, CVE-2020-8840)</li> <li> jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command </li> execution (CVE-2020-10672, CVE-2020-10673)<br><li> keycloak: adapter endpoints are exposed via arbitrary URLs (CVE-2019-14820)</li> <li> keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875)</li> <li> keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201)</li> <li> keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199)</li> <li> keycloak: cross-realm user access auth bypass (CVE-2019-14832)</li> <li> netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)</li> <li> SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729)</li> <li> thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)</li> <li> thrift: Endless loop when feed with specific input data (CVE-2019-0205)</li> <li> undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)</li> <li> wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)</li> <li> wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838)</li> <li> xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400)</li> For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2020:2067
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness