(RHSA-2020:2333) Important: EAP Continuous Delivery Technical Preview Release 19 security update

Red Hat JBoss Enterprise Application Platform CD19 is a platform for Java applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform CD19 includes bug fixes and enhancements.

Security Fix(es):

• apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)

• infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174)

• undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)

• netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)

• netty: HTTP request smuggling (CVE-2019-20444)

• netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)

• undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)

• netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

• jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)

• jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)

• jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)

• jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)

• jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)

• thrift: Endless loop when feed with specific input data (CVE-2019-0205)

• thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

• cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12419)

• cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)

• jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)

• wildfly: The ‘enabled-protocols’ value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)

• jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)

• jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)

• jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)

• jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)

• jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)

• jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)

• jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)

• cxf: reflected XSS in the services listing page (CVE-2019-17573)

• jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)

• resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695)

• jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)

• jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672)

• RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)

• Soteria: security identity corruption across concurrent threads (CVE-2020-1732)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.