-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat build of Thorntail 2.7.3 security and bug fix update Advisory ID: RHSA-2021:0295-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2021:0295 Issue date: 2021-02-08 CVE Names: CVE-2020-25633 CVE-2020-25640 CVE-2020-25689 CVE-2020-27782 CVE-2020-27822 ==================================================================== 1. Summary: An update is now available for Red Hat build of Thorntail. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. 2. Description: This release of Red Hat build of Thorntail 2.7.3 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section. Security Fix(es): * resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633) * wildfly: resource adapter logs plaintext JMS password at warning level on connection error (CVE-2020-25640) * wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller (CVE-2020-25689) * undertow: special character in query results in server errors (CVE-2020-27782) * wildfly: Potential Memory leak in Wildfly when using OpenTracing (CVE-2020-27822) For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 1879042 - CVE-2020-25633 resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling 1881637 - CVE-2020-25640 wildfly: resource adapter logs plaintext JMS password at warning level on connection error 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller 1901304 - CVE-2020-27782 undertow: special character in query results in server errors 1904060 - CVE-2020-27822 wildfly: Potential Memory leak in Wildfly when using OpenTracing 5. References: https://access.redhat.com/security/cve/CVE-2020-25633 https://access.redhat.com/security/cve/CVE-2020-25640 https://access.redhat.com/security/cve/CVE-2020-25689 https://access.redhat.com/security/cve/CVE-2020-27782 https://access.redhat.com/security/cve/CVE-2020-27822 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.thorntail&version=2.7.3 https://access.redhat.com/documentation/en-us/red_hat_build_of_thorntail/2.7/html/release_notes_for_thorntail_2.7/ 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCD/gtzjgjWX9erEAQhJHw//ef0Pa1nhacDd5CbXoxleprFEI4wqT6YH PcZXvTKM8NBLqgTCz4DEmvbKp/w0t0UVY951JfuOmAN9LfquDnSH/Ct3NZ8HjRTE yJXRgpFSMNJyAe5xR+3y5Cy/i+mhPDIB1FIGoeEw+Oj9n0lPutZkE0WVWWF/KCKL RwWzxAwyMx4i3im52CGZfZ8zTAXsEoQlxsZL5WhWxFFXV7EbPudqkspanQ603UAB EQge+8Gut+uqD6KHLF9gXb3AGkJd4s5ZIQx6qw8OZfe7Pf1t2n5aNVqIkVkujRsf WW7ySC9QyiKkTx9OvDRFrfIx1J6R8/8vXasDxwjkYtvCOAC7TYMHqn+F6wtFuDRW +0F85LrxwYs7I0GBorhqdRyoris23oOTQ8FoKu4Tq2sPMxh3eyQXF/dPpsb9aH5e Zbz39pJTGZUN7GO5gWSkHe/F9kyBEoUwpl7zQiEJrvEN43oikkbeIJzBYAUqpWH9 e00hQWK31MUAh5RrPVpSKNyhwZbkTHuNnIjrgzanDBXAxJJloRwesYvGxeQKgfAY Cc2V6mtEiBtX1lPF8aJz2IV0WKU3Y3tq6r9LOWR01aa7AEUHOEiJZXtlBHTHkIKv 72CUbONHsONpILwWnVliwUz8H2m9WZCsO+Pz4AsgiHKpPHwdfSvPq9FuXX1dBKCK FJ3Nkc2nu4E=OdXE -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce