Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2019:0877
HistoryApr 24, 2019 - 6:45 p.m.

(RHSA-2019:0877) Important: Red Hat OpenShift Application Runtimes Thorntail 2.4.0 security & bug fix update

2019-04-2418:45:04
access.redhat.com
46

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.045 Low

EPSS

Percentile

92.4%

JSON

Red Hat OpenShift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.

This release of RHOAR Thorntail 2.4.0 serves as a replacement for RHOAR Thorntail 2.2.0, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

  • undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993) (CVE-2018-1067)

  • keycloak: auth permitted with expired certs in SAML client (CVE-2018-10894)

  • undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114)

  • keycloak: infinite loop in session replacement leading to denial of service (CVE-2018-10912)

  • wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862)

  • jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)

  • jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)

  • jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)

  • jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)

  • jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)

  • jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

  • jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

  • jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

  • bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Related

redhat 27
osv 22
nessus 18
debian 3
openvas 22
fedora 18
ibm 14
redhatcve 12
debiancve 9
github 11
veracode 11
prion 14
cve 11
ubuntucve 5
symantec 1
suse 1
redhat
redhat
(RHSA-2019:3002) Important: Red Hat FIS 2.0 on Fuse 6.3.0 R13 security and bug fix update
2019-10-10 12:48:05
(RHSA-2019:0782) Important: rh-maven35-jackson-databind security update
2019-04-17 20:45:27
(RHSA-2019:2804) Important: Red Hat JBoss Fuse/A-MQ 6.3 R13 security and bug fix update
2019-09-17 09:21:53
osv
osv
jackson-databind - security update
2019-03-04 00:00:00
jackson-databind - security update
2019-05-24 00:00:00
Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow
2022-05-13 01:14:41
nessus
nessus
Debian DLA-1703-1 : jackson-databind security update
2019-03-05 00:00:00
Debian DSA-4452-1 : jackson-databind - security update
2019-05-28 00:00:00
Fedora 29 : bouncycastle / eclipse-jgit / eclipse-linuxtools / etc (2019-df57551f6d)
2019-02-19 00:00:00
debian
debian
[SECURITY] [DLA 1703-1] jackson-databind security update
2019-03-04 12:13:19
[SECURITY] [DSA 4452-1] jackson-databind security update
2019-05-24 21:04:55
[SECURITY] [DSA 4233-1] bouncycastle security update
2018-06-22 19:59:24
openvas
openvas
Debian: Security Advisory (DLA-1703-1)
2019-03-03 00:00:00
Debian: Security Advisory (DSA-4452-1)
2019-05-26 00:00:00
Fedora Update for jackson-dataformat-xml FEDORA-2019-df57551f6d
2019-05-07 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: jackson-parent-2.9.1.2-1.fc29
2019-02-19 14:03:53
[SECURITY] Fedora 29 Update: jackson-dataformat-xml-2.9.8-1.fc29
2019-02-19 14:03:53
[SECURITY] Fedora 29 Update: jackson-module-jsonSchema-2.9.8-1.fc29
2019-02-19 14:03:53
ibm
ibm
Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java (Feb 2019, updated)
2019-03-01 00:05:02
Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities
2019-04-26 16:00:01
Security Bulletin: Multiple vulnerabilities have been identified in FasterXML Jackson library shipped with IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873)
2019-03-05 09:30:01
redhatcve
redhatcve
CVE-2018-1067
2019-10-10 04:10:45
CVE-2018-10862
2020-02-02 02:32:50
CVE-2018-19360
2020-04-09 07:12:14
debiancve
debiancve
CVE-2018-1067
2018-05-21 17:29:00
CVE-2018-12023
2019-03-21 16:00:00
CVE-2018-12022
2019-03-21 16:00:00
github
github
Improper Neutralization of CRLF Sequences in HTTP Headers in Undertow
2022-05-13 01:14:41
Improper Limitation of a Pathname to a Restricted Directory in WildFly
2022-05-14 01:06:25
Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator
2018-10-16 17:44:39
veracode
veracode
HTTP Response Splitting
2018-05-22 02:10:03
Arbitrary File Write
2019-01-15 09:24:28
Weak Computation Of Iterations For MR Primality Test
2018-06-06 07:03:46
prion
prion
Input validation
2018-05-21 17:29:00
Security feature bypass
2018-07-27 14:29:00
Code injection
2018-06-05 13:29:00
cve
cve
CVE-2018-1067
2018-05-21 17:29:00
CVE-2018-10862
2018-07-27 14:29:00
CVE-2018-11307
2019-07-09 16:15:00
ubuntucve
ubuntucve
CVE-2018-1067
2018-05-21 00:00:00
CVE-2018-1000180
2018-06-05 00:00:00
CVE-2018-12022
2019-03-21 00:00:00
symantec
symantec
FasterXML Jackson-databind Deserialization Multiple Remote Code Execution Vulnerabilities
2019-01-02 00:00:00
suse
suse
Security update for bouncycastle (moderate)
2018-09-24 15:08:29

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.045 Low

EPSS

Percentile

92.4%

JSON
Related for RHSA-2019:0877
redhat27osv22nessus18debian3openvas22fedora18ibm14redhatcve12debiancve9github11veracode11prion14cve11ubuntucve5symantec1suse1