RHSA-2020:3779: Important: Red Hat Data Grid 7.3.7 security update

First published: Thu Sep 17 2020(Updated: )

Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.<br>This release of Red Hat Data Grid 7.3.7 serves as a replacement for Red Hat Data Grid 7.3.6 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.<br>Security Fix(es):<br><li> jetty: Incorrect header handling (CVE-2017-7658)</li> <li> EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710)</li> <li> undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)</li> <li> undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757)</li> <li> jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)</li> <li> jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)</li> <li> jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)</li> <li> jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)</li> <li> jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672)</li> <li> jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)</li> <li> jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)</li> <li> jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)</li> <li> jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)</li> <li> jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)</li> <li> jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)</li> <li> jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619)</li> <li> jackson-databind: Serialization gadgets in commons-jelly:commons-jelly (CVE-2020-11620)</li> <li> jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)</li> <li> resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695)</li> <li> Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)</li> <li> Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)</li> <li> wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)</li> <li> netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)</li> <li> log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2020:3779
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/tags
• agent/title
• agent/type