-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.1.13 security and bug fix update Advisory ID: RHSA-2020:2367-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2367 Issue date: 2020-06-04 CVE Names: CVE-2019-14888 CVE-2020-1745 CVE-2020-1935 CVE-2020-1938 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [NOTE: This security advisory was unintentionally omitted at the time of the initial software release on 2020-03-23. The advisory is informational only; no files in the release have changed.] 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.1.13 serves as a replacement for Red Hat support for Spring Boot 2.1.12, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888) * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) * tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938) * tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS 1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability 1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 5. References: https://access.redhat.com/security/cve/CVE-2019-14888 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1935 https://access.redhat.com/security/cve/CVE-2020-1938 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=catRhoar.spring.boot&downloadType=distributions&version=2.1.13 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXtjzItzjgjWX9erEAQhRnBAAgpEgqMeB96HzQIjlr/B0OO6906+Xsy+g r7JiPWF9UCcRZuD/2Lrt8RFSY9ethRdehQJ+oJs3yUhvo0wXRZ/hr1gDCGUooWme blKnhyf5+J4avq+fJFLkhZzPJzYTCAGMLe5Wt/+Ze9TsdscVTwTbrha7ZEzIwKGe 7D6+T3LW9H0t/jveVD3gr5KkUL0SObKhAUz3YYLacP9HM4OxncVCs5MxSut++bT9 ayhIwflDbdmXNsTjUujkIY+v6aLMmFH3NqvGcQ5lNxR5lbxWcllK4ekFnYFHTBB1 hdk3FWqcgSdhn1axKhDvtpRZGw1f3Tf+USaL7Z+6bVOQN3xnf195grSzj6ReNcJQ PxHNh9cF4+JSbYNVAIC7ynTDbPV6XV+gHDZozdDRGEFkd2jiFK+tlF5PK3/FYBmj FOpj5n+/1OSegHykq/VXl8bEGtzkTMwnxLe3N0axZcx+xsanxNtEYjstftkUhlg7 WmhxBIxrV8ZQkg9BC9yt9hm0weODFDJjeExkQ6a3bqh9amT51AnCxctS3HW51VRV 9JWrlD1llJAOqYk6CxpF8xv61my2apUJ3qvxPF5Ut3f9hDUdB7/X/RhHxp2NQqHj i5JDpi0RkxnILYejIYuQQYLMe1PqOFhBH8KgABI0rljgYG9A0McYef/LgOHrJztn BWRTdLg2CuQ= =tT0B -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce